<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<link rel="profile" href="https://gmpg.org/xfn/11" />
	<title>A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router Implant &#8211; imp0rtp3</title>
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//s2.wp.com' />
<link rel='dns-prefetch' href='//s0.wp.com' />
<link rel='dns-prefetch' href='//s1.wp.com' />
<link rel='dns-prefetch' href='//wordpress.com' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.pubmine.com' />
<link rel='dns-prefetch' href='//x.bidswitch.net' />
<link rel='dns-prefetch' href='//static.criteo.net' />
<link rel='dns-prefetch' href='//ib.adnxs.com' />
<link rel='dns-prefetch' href='//aax.amazon-adsystem.com' />
<link rel='dns-prefetch' href='//bidder.criteo.com' />
<link rel='dns-prefetch' href='//cas.criteo.com' />
<link rel='dns-prefetch' href='//gum.criteo.com' />
<link rel='dns-prefetch' href='//ads.pubmatic.com' />
<link rel='dns-prefetch' href='//gads.pubmatic.com' />
<link rel='dns-prefetch' href='//tpc.googlesyndication.com' />
<link rel='dns-prefetch' href='//ad.doubleclick.net' />
<link rel='dns-prefetch' href='//googleads.g.doubleclick.net' />
<link rel='dns-prefetch' href='//www.googletagservices.com' />
<link rel='dns-prefetch' href='//cdn.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.g.switchadhub.com' />
<link rel='dns-prefetch' href='//delivery.swid.switchadhub.com' />
<link rel='dns-prefetch' href='//a.teads.tv' />
<link rel='dns-prefetch' href='//prebid.media.net' />
<link rel='dns-prefetch' href='//adserver-us.adtech.advertising.com' />
<link rel='dns-prefetch' href='//fastlane.rubiconproject.com' />
<link rel='dns-prefetch' href='//prebid-server.rubiconproject.com' />
<link rel='dns-prefetch' href='//hb-api.omnitagjs.com' />
<link rel='dns-prefetch' href='//mtrx.go.sonobi.com' />
<link rel='dns-prefetch' href='//apex.go.sonobi.com' />
<link rel='dns-prefetch' href='//u.openx.net' />
<link rel="alternate" type="application/rss+xml" title="imp0rtp3 &raquo; Feed" href="https://imp0rtp3.wordpress.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="imp0rtp3 &raquo; Comments Feed" href="https://imp0rtp3.wordpress.com/comments/feed/" />
<link rel="alternate" type="application/rss+xml" title="imp0rtp3 &raquo; A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router&nbsp;Implant Comments Feed" href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/feed/" />
	<script type="text/javascript">
		/* <![CDATA[ */
		function addLoadEvent(func) {
			var oldonload = window.onload;
			if (typeof window.onload != 'function') {
				window.onload = func;
			} else {
				window.onload = function () {
					oldonload();
					func();
				}
			}
		}
		/* ]]> */
	</script>
			<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/72x72\/","ext":".png","svgUrl":"https:\/\/s0.wp.com\/wp-content\/mu-plugins\/wpcom-smileys\/twemoji\/2\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/s2.wp.com\/wp-includes\/js\/wp-emoji-release.min.js?m=1625065786h&ver=5.8.2"}};
			!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode;p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0);e=i.toDataURL();return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(!p||!p.fillText)return!1;switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([10084,65039,8205,55357,56613],[10084,65039,8203,55357,56613])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='all-css-0-1' href='https://s1.wp.com/_static/??-eJytUtlOwzAQ/CFsN1UV5QXxLT5Wxs36kA8i/z1OgOI20PLAi6XZ2RnvxZZApHcZXGa2kIBFG5fYEqS3JFmDUG8QlSk9sU4m0OuL0PI4QzZOE8Eja6nXkfvixUfFVWIaveC4y+3qQzNDYmfIgcuZbGiX/pWrS4MCom5MBPY2HOmRHpgoBtX6/2YgIo+VpVwR/sMov4L9NjJOYlFrwW0coAwHbPTaUQcC8gqRIGguK7XGPZY3rsdXot+L3yrthserL5noaNSf+7+xiHzdb3ogl/5TdqTDRAeSjA0ITJmULxz52aLb/Dr6FreB7/u/I/s4YSFChJRIe60plmxr2i7nxT4P4+kwTONpnM7vL4Anug==?cssminify=yes' type='text/css' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify {
	text-align:justify;
}
</style>
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--primary: #9fd3e8;--wp--preset--color--secondary: #fbe6aa;--wp--preset--color--foreground: #ffffff;--wp--preset--color--background: #1f2527;--wp--preset--color--tertiary: #364043;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 17.3914px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 26.45px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--normal: 23px;--wp--preset--font-size--huge: 30.4174px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-primary-color{color: var(--wp--preset--color--primary) !important;}.has-secondary-color{color: var(--wp--preset--color--secondary) !important;}.has-foreground-color{color: var(--wp--preset--color--foreground) !important;}.has-background-color{color: var(--wp--preset--color--background) !important;}.has-tertiary-color{color: var(--wp--preset--color--tertiary) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-primary-background-color{background-color: var(--wp--preset--color--primary) !important;}.has-secondary-background-color{background-color: var(--wp--preset--color--secondary) !important;}.has-foreground-background-color{background-color: var(--wp--preset--color--foreground) !important;}.has-background-background-color{background-color: var(--wp--preset--color--background) !important;}.has-tertiary-background-color{background-color: var(--wp--preset--color--tertiary) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-primary-border-color{border-color: var(--wp--preset--color--primary) !important;}.has-secondary-border-color{border-color: var(--wp--preset--color--secondary) !important;}.has-foreground-border-color{border-color: var(--wp--preset--color--foreground) !important;}.has-background-border-color{border-color: var(--wp--preset--color--background) !important;}.has-tertiary-border-color{border-color: var(--wp--preset--color--tertiary) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}.has-normal-font-size{font-size: var(--wp--preset--font-size--normal) !important;}.has-huge-font-size{font-size: var(--wp--preset--font-size--huge) !important;}
</style>
<link rel='stylesheet' id='all-css-2-1' href='https://s1.wp.com/_static/??/wp-content/mu-plugins/comment-likes/css/comment-likes.css,/i/noticons/noticons.css?m=1436783281j&cssminify=yes' type='text/css' media='all' />
<link rel='stylesheet' id='print-css-3-1' href='https://s1.wp.com/wp-content/themes/pub/varia/print.css?m=1571655471h&cssminify=yes' type='text/css' media='print' />
<link rel='stylesheet' id='all-css-4-1' href='https://s1.wp.com/_static/??-eJx9i9EKwjAMAH/Imomy+SJ+S1diV0mT0qQb+3snviiKb3dwB0txQdiQDWzCjAqljTDhjBXUVsJ9UN3B72z2NXlIHF6pW0qQ/DXk5gq1mFghojiS4C0Jf4i7kU/131pxJIkbRtiqN31O13w59KeuG87Dsb8/AI0OTsQ=?cssminify=yes' type='text/css' media='all' />
<link crossorigin="anonymous" rel='stylesheet' id='hever-fonts-css'  href='https://fonts.googleapis.com/css?family=PT+Sans%3A400%2C400i%2C700%2C700i&#038;subset=latin%2Clatin-ext&#038;display=swap' media='all' />
<link rel='stylesheet' id='all-css-6-1' href='https://s0.wp.com/wp-content/themes/pub/hever/style.css?m=1640078736h&cssminify=yes' type='text/css' media='all' />
<style id='jetpack-global-styles-frontend-style-inline-css'>
@import url('https://fonts.googleapis.com/css?family=Raleway:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|Cabin:thin,extralight,light,regular,medium,semibold,bold,italic,bolditalic,extrabold,black|');:root { --font-headings: Cabin; --font-base: Raleway; --font-headings-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif; --font-base-default: -apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",sans-serif;}
</style>
<link rel='stylesheet' id='all-css-8-1' href='https://s1.wp.com/_static/??-eJxti0EKgCAQAD+UbVFGHaK3mJgaqyut0vejQ4eo0zAwA2cSmmI2MUMoImGxPjIk4iw2VP4Adurw0T6sNXMF/xeT9goFkqW3fKbsTDAMrgeLtCq8gyXM7dCNUjZy6vcLZTc31Q==?cssminify=yes' type='text/css' media='all' />
<script id='wpcom-actionbar-placeholder-js-extra'>
var actionbardata = {"siteID":"196241778","siteURL":"http:\/\/imp0rtp3.wordpress.com","xhrURL":"https:\/\/imp0rtp3.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"c7dce5aac2","isLoggedIn":"","statusMessage":"","subsEmailDefault":"instantly","proxyScriptUrl":"https:\/\/s0.wp.com\/wp-content\/js\/wpcom-proxy-request.js?ver=20211021","shortlink":"https:\/\/wp.me\/sdhprY-sowat","i18n":{"followedText":"New posts from this site will now appear in your <a href=\"https:\/\/wordpress.com\/read\">Reader<\/a>","foldBar":"Collapse this bar","unfoldBar":"Expand this bar"}};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s0.wp.com/_static/??/wp-content/js/mobile-useragent-info.js,/wp-content/js/rlt-proxy.js,/wp-content/blog-plugins/wordads-classes/js/cmp-stub.js?m=1637704497j'></script>
<script type='text/javascript'>
	window.addEventListener( 'DOMContentLoaded', function() {
		rltInitialize( {"token":null,"iframeOrigins":["https:\/\/widgets.wp.com"]} );
	} );
</script>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://imp0rtp3.wordpress.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://s1.wp.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress.com" />
<link rel="canonical" href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/" />
<link rel='shortlink' href='https://wp.me/sdhprY-sowat' />
<link rel="alternate" type="application/json+oembed" href="https://public-api.wordpress.com/oembed/?format=json&amp;url=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F&amp;for=wpcom-auto-discovery" /><link rel="alternate" type="application/xml+oembed" href="https://public-api.wordpress.com/oembed/?format=xml&amp;url=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F&amp;for=wpcom-auto-discovery" />
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router Implant" />
<meta property="og:url" content="https://imp0rtp3.wordpress.com/2021/11/25/sowat/" />
<meta property="og:description" content="Executive Summary APT31 is long known to use Operational Relay Boxes (ORBs) and compromise routers.This report examines in detail their only publicly known router implant, dubbed &#8220;SoWaT&amp;#8221…" />
<meta property="article:published_time" content="2021-11-25T18:23:15+00:00" />
<meta property="article:modified_time" content="2021-11-25T19:04:01+00:00" />
<meta property="og:site_name" content="imp0rtp3" />
<meta property="og:image" content="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg" />
<meta property="og:image:width" content="750" />
<meta property="og:image:height" content="629" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />
<meta name="twitter:creator" content="@imp0rtp3" />
<meta name="twitter:site" content="@imp0rtp3" />
<meta name="twitter:text:title" content="A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router&nbsp;Implant" />
<meta name="twitter:image" content="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=640" />
<meta name="twitter:card" content="summary_large_image" />
<meta property="fb:app_id" content="249643311490" />
<meta property="article:publisher" content="https://www.facebook.com/WordPresscom" />

<!-- End Jetpack Open Graph Tags -->
<link rel="search" type="application/opensearchdescription+xml" href="https://imp0rtp3.wordpress.com/osd.xml" title="imp0rtp3" />
<link rel="search" type="application/opensearchdescription+xml" href="https://s1.wp.com/opensearch.xml" title="WordPress.com" />
<link rel="pingback" href="https://imp0rtp3.wordpress.com/xmlrpc.php"><meta name="application-name" content="imp0rtp3" /><meta name="msapplication-window" content="width=device-width;height=device-height" /><meta name="msapplication-tooltip" content="Threat intelligence, malware analysis and everything else infosec" /><meta name="msapplication-task" content="name=Subscribe;action-uri=https://imp0rtp3.wordpress.com/feed/;icon-uri=https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=16" /><meta name="msapplication-task" content="name=Sign up for a free blog;action-uri=http://wordpress.com/signup/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Support;action-uri=http://support.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="msapplication-task" content="name=WordPress.com Forums;action-uri=http://forums.wordpress.com/;icon-uri=https://s1.wp.com/i/favicon.ico" /><meta name="description" content="Executive Summary APT31 is long known to use Operational Relay Boxes (ORBs) and compromise routers.This report examines in detail their only publicly known router implant, dubbed &quot;SoWaT&quot;The implant is capable to function as RAT, a tunnel and a proxy.Extensive verification and double-encryption procedures signal a TA trying to evade even the most capable defenderThe implant&#039;s&hellip;" />
		<script type="text/javascript">

			window.doNotSellCallback = function() {

				var linkElements = [
					'a[href="https://wordpress.com/?ref=footer_blog"]',
					'a[href="https://wordpress.com/?ref=footer_website"]',
					'a[href="https://wordpress.com/?ref=vertical_footer"]',
					'a[href^="https://wordpress.com/?ref=footer_segment_"]',
				].join(',');

				var dnsLink = document.createElement( 'a' );
				dnsLink.href = 'https://wordpress.com/advertising-program-optout/';
				dnsLink.classList.add( 'do-not-sell-link' );
				dnsLink.rel = 'nofollow';
				dnsLink.style.marginLeft = '0.5em';
				dnsLink.textContent = 'Do Not Sell My Personal Information';

				var creditLinks = document.querySelectorAll( linkElements );

				if ( 0 === creditLinks.length ) {
					return false;
				}

				Array.prototype.forEach.call( creditLinks, function( el ) {
					el.insertAdjacentElement( 'afterend', dnsLink );
				});

				return true;
			};

		</script>
		<script id="cmp-configuration" type="application/configuration">{"gvlVersion":"122","consentLanguage":"EN","locale":"en","vendorsAll":"BDlr_6__7a_s_3_f__9ujzGr_v9e9_yGccL5tv3gu5f635ei_-wnZou_VNXBVyPEl27YJCAto5k6iak2LVEqteY9jUmzlORpRPZck09jL2zrAw9p8_sqfzJTPf_f__7_e-f___v_2_ue__r___7v__3__38____v_____________________-_A","vendorsLegInterest":"BDkAkw1LyALsyxwZNo0qhRAjCsJCoBQAUUAwtEVgA4OCnZWAT6ghYAITUBGBECDEFGDAIAABIAkIiAkALBAIgCIBAACAFCAhAARMAgsALAwCAAUA0LECKAIQJCDI4KjlMCAqRaKCWysQSgr2NMIAy3wIoFE9FQgI1miBYGQkLBzHAEgJeLJA8wRA","ajaxNonce":"7a20e2dd1d","modulePath":"https:\/\/s1.wp.com\/wp-content\/blog-plugins\/wordads-classes\/js\/","gvlPath":"https:\/\/public-api.wordpress.com\/wpcom\/v2\/sites\/196241778\/cmp\/vendors\/en\/","_":{"title":"Privacy & Cookies","intro":"We, WordPress.com, and our advertising partners store and\/or access information on your device and also process personal data, like unique identifiers, browsing activity, and other standard information sent by your device including your IP address. This information is collected over time and used for personalised ads, ad measurement, audience insights, and product development specific to our ads program. If this sounds good to you, select \"I Agree!\" below.  Otherwise, you can get more information, customize your consent preferences, or decline consent by selecting \"Learn More\". Note that your preferences apply to all websites in the <a href=\"https:\/\/automattic.com\/cookies\/#user-ads-consent\" target=\"_blank\">WordPress.com network<\/a>, and if you change your mind in the future you can update your preferences anytime by visiting the Privacy link displayed under each ad. One last thing, our partners may process some of your data based on legitimate interests instead of consent but you can object to that by choosing \"Learn More\" and then disabling the Legitimate Interests toggle under any listed Purpose or Partner.","config":"Learn More","accept":"I Agree!","viewPartners":"View Partners","error":"We're sorry but an unexpected error occurred. Please try again later."}}</script>		<script type="text/javascript">
		function __ATA_CC() {var v = document.cookie.match('(^|;) ?personalized-ads-consent=([^;]*)(;|$)');return v ? 1 : 0;}
		var __ATA_PP = { 'pt': 1, 'ht': 0, 'tn': 'hever', 'uloggedin': 0, 'amp': false, 'consent': __ATA_CC(), 'gdpr_applies': true, 'ad': { 'label': { 'text': 'Advertisements' }, 'reportAd': { 'text': 'Report this ad' }, 'privacySettings': { 'text': 'Privacy', 'onClick': function() { window.__tcfapi && window.__tcfapi( 'showUi' ) } } }, 'siteid': 8982, 'blogid': 196241778, 'js_hint': 'tcf2_test' };
		var __ATA = __ATA || {};
		__ATA.cmd = __ATA.cmd || [];
		__ATA.criteo = __ATA.criteo || {};
		__ATA.criteo.cmd = __ATA.criteo.cmd || [];
		</script>
		<script type="text/javascript">
		(function(){var g=Date.now||function(){return+new Date};function h(a,b){a:{for(var c=a.length,d="string"==typeof a?a.split(""):a,e=0;e<c;e++)if(e in d&&b.call(void 0,d[e],e,a)){b=e;break a}b=-1}return 0>b?null:"string"==typeof a?a.charAt(b):a[b]};function k(a,b,c){c=null!=c?"="+encodeURIComponent(String(c)):"";if(b+=c){c=a.indexOf("#");0>c&&(c=a.length);var d=a.indexOf("?");if(0>d||d>c){d=c;var e=""}else e=a.substring(d+1,c);a=[a.substr(0,d),e,a.substr(c)];c=a[1];a[1]=b?c?c+"&"+b:b:c;a=a[0]+(a[1]?"?"+a[1]:"")+a[2]}return a};var l=0;function m(a,b){var c=document.createElement("script");c.src=a;c.onload=function(){b&&b(void 0)};c.onerror=function(){b&&b("error")};a=document.getElementsByTagName("head");var d;a&&0!==a.length?d=a[0]:d=document.documentElement;d.appendChild(c)}function n(a){var b=void 0===b?document.cookie:b;return(b=h(b.split("; "),function(c){return-1!=c.indexOf(a+"=")}))?b.split("=")[1]:""}function p(a){return"string"==typeof a&&0<a.length}
		function r(a,b,c){b=void 0===b?"":b;c=void 0===c?".":c;var d=[];Object.keys(a).forEach(function(e){var f=a[e],q=typeof f;"object"==q&&null!=f||"function"==q?d.push(r(f,b+e+c)):null!==f&&void 0!==f&&(e=encodeURIComponent(b+e),d.push(e+"="+encodeURIComponent(f)))});return d.filter(p).join("&")}function t(a,b){a||((window.__ATA||{}).config=b.c,m(b.url))}var u=Math.floor(1E13*Math.random()),v=window.__ATA||{};window.__ATA=v;window.__ATA.cmd=v.cmd||[];v.rid=u;v.createdAt=g();var w=window.__ATA||{},x="s.pubmine.com";
		w&&w.serverDomain&&(x=w.serverDomain);var y="//"+x+"/conf",z=window.top===window,A=window.__ATA_PP&&window.__ATA_PP.gdpr_applies,B="boolean"===typeof A?Number(A):null,C=window.__ATA_PP||null,D=z?document.referrer?document.referrer:null:null,E=z?window.location.href:document.referrer?document.referrer:null,F,G=n("__ATA_tuuid");F=G?G:null;var H=window.innerWidth+"x"+window.innerHeight,I=n("usprivacy"),J=r({gdpr:B,pp:C,rid:u,src:D,ref:E,tuuid:F,vp:H,us_privacy:I?I:null},"",".");
		(function(a){var b=void 0===b?"cb":b;l++;var c="callback__"+g().toString(36)+"_"+l.toString(36);a=k(a,b,c);window[c]=function(d){t(void 0,d)};m(a,function(d){d&&t(d)})})(y+"?"+J);}).call(this);
		</script><link rel="amphtml" href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/amp/"><style type="text/css" id="custom-colors-css">
	:root,
	#editor .editor-styles-wrapper {
					--wp--preset--color--background: #1f2527;
			--wp--preset--color--background-low-contrast: hsl( 195,20.512820512821%,5.2941176470588%);
			--wp--preset--color--background-high-contrast: hsl( 195,20.512820512821%,25.294117647059%);
						--wp--preset--color--foreground: #ffffff;
			--wp--preset--color--foreground-low-contrast: hsl( 0,0%,110%);
			--wp--preset--color--foreground-high-contrast: hsl( 0,0%,90%);
						--wp--preset--color--primary: #9fd3e8;
			--wp--preset--color--primary-hover: hsl( 197.2602739726,31.465517241379%,100.98039215686%);
			--wp--preset--color--primary-dark: hsl( 197.2602739726,31.465517241379%,80.980392156863%);
						--wp--preset--color--secondary: #fbe6aa;
			--wp--preset--color--secondary-hover: hsl( 44.444444444444,32.270916334661%,108.43137254902%);
						--wp--preset--color--border: #364043;
			--wp--preset--color--border-low-contrast: hsl( 193.84615384615,19.402985074627%,36.274509803922%);
			--wp--preset--color--border-high-contrast: hsl( 193.84615384615,19.402985074627%,16.274509803922%);
			}

	.wp--preset--color--background { background-color: #1f2527;}
.wp--preset--color--foreground { color: #ffffff;}
.wp--preset--color--primary { color: #9fd3e8;}
.wp--preset--color--secondary { color: #fbe6aa;}
.wp--preset--color--tertiary { color: #364043;}
</style>
<link rel="icon" href="https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=32" sizes="32x32" />
<link rel="icon" href="https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=192" sizes="192x192" />
<link rel="apple-touch-icon" href="https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=180" />
<meta name="msapplication-TileImage" content="https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=270" />
<script type="text/javascript">
	window.google_analytics_uacct = "UA-52447-2";
</script>

<script type="text/javascript">
	var _gaq = _gaq || [];
	_gaq.push(['_setAccount', 'UA-52447-2']);
	_gaq.push(['_gat._anonymizeIp']);
	_gaq.push(['_setDomainName', 'wordpress.com']);
	_gaq.push(['_initData']);
	_gaq.push(['_trackPageview']);

	(function() {
		var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
		ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
		(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga);
	})();
</script>
</head>

<body class="post-template-default single single-post postid-183 single-format-standard wp-embed-responsive customizer-styles-applied singular image-filters-enabled hide-homepage-title mobile-nav-side has-marketing-bar has-marketing-bar-theme-hever highlander-enabled highlander-light">

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-dark-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0.49803921568627" /><feFuncG type="table" tableValues="0 0.49803921568627" /><feFuncB type="table" tableValues="0 0.49803921568627" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.54901960784314 0.98823529411765" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.71764705882353 0.25490196078431" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-red"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 0.27843137254902" /><feFuncB type="table" tableValues="0.5921568627451 0.27843137254902" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-midnight"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0" /><feFuncG type="table" tableValues="0 0.64705882352941" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-magenta-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.78039215686275 1" /><feFuncG type="table" tableValues="0 0.94901960784314" /><feFuncB type="table" tableValues="0.35294117647059 0.47058823529412" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-green"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.65098039215686 0.40392156862745" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.44705882352941 0.4" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-orange"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.098039215686275 1" /><feFuncG type="table" tableValues="0 0.66274509803922" /><feFuncB type="table" tableValues="0.84705882352941 0.41960784313725" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg>
<div id="page" class="site">
	<a class="skip-link screen-reader-text" href="#content">Skip to content</a>

	
<header id="masthead" class="site-header responsive-max-width has-title-and-tagline has-menu" role="banner">
	

			<p class="site-title"><a href="https://imp0rtp3.wordpress.com/" rel="home">imp0rtp3</a></p>
	
		<p class="site-description">
			Threat intelligence, malware analysis and everything else infosec		</p>
		<nav id="site-navigation" class="main-navigation" aria-label="Main Navigation">

		<input type="checkbox" role="button" aria-haspopup="true" id="toggle" class="hide-visually">
		<label for="toggle" id="toggle-menu" class="button">
			Menu			<span class="dropdown-icon open">+</span>
			<span class="dropdown-icon close">&times;</span>
			<span class="hide-visually expanded-text">expanded</span>
			<span class="hide-visually collapsed-text">collapsed</span>
		</label>

		<div class="main-menu-container"><ul id="menu-primary-1" class="main-menu" aria-label="submenu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-11"><a href="https://imp0rtp3.wordpress.com/">Home</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-12"><a href="https://imp0rtp3.wordpress.com/blog/">Blog</a></li>
</ul></div>	</nav><!-- #site-navigation -->
	</header><!-- #masthead -->

	<div id="content" class="site-content">

	<section id="primary" class="content-area">
		<main id="main" class="site-main">

			
<article id="post-183" class="post-183 post type-post status-publish format-standard has-post-thumbnail hentry category-uncategorized tag-apt31 tag-malware tag-router tag-sowat entry">

	<header class="entry-header responsive-max-width">
		<h1 class="entry-title">A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router&nbsp;Implant</h1>				<div class="entry-meta">
			<span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><path d="M12 12c2.21 0 4-1.79 4-4s-1.79-4-4-4-4 1.79-4 4 1.79 4 4 4zm0 2c-2.67 0-8 1.34-8 4v2h16v-2c0-2.66-5.33-4-8-4z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://imp0rtp3.wordpress.com/author/cl3aver/">imp0rtp3</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><defs><path id="a" d="M0 0h24v24H0V0z"></path></defs><clipPath id="b"><use xlink:href="#a" overflow="visible"></use></clipPath><path clip-path="url(#b)" d="M12 2C6.5 2 2 6.5 2 12s4.5 10 10 10 10-4.5 10-10S17.5 2 12 2zm4.2 14.2L11 13V7h1.5v5.2l4.5 2.7-.8 1.3z"></path></svg><a href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/" rel="bookmark"><time class="entry-date published" datetime="2021-11-25T19:23:15+01:00">November 25, 2021</time><time class="updated" datetime="2021-11-25T20:04:01+01:00">November 25, 2021</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V8c0-1.1-.9-2-2-2h-8l-2-2z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Posted in</span><a href="https://imp0rtp3.wordpress.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21.41 11.58l-9-9C12.05 2.22 11.55 2 11 2H4c-1.1 0-2 .9-2 2v7c0 .55.22 1.05.59 1.42l9 9c.36.36.86.58 1.41.58.55 0 1.05-.22 1.41-.59l7-7c.37-.36.59-.86.59-1.41 0-.55-.23-1.06-.59-1.42zM5.5 7C4.67 7 4 6.33 4 5.5S4.67 4 5.5 4 7 4.67 7 5.5 6.33 7 5.5 7z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Tags:</span><a href="https://imp0rtp3.wordpress.com/tag/apt31/" rel="tag">apt31</a>, <a href="https://imp0rtp3.wordpress.com/tag/malware/" rel="tag">malware</a>, <a href="https://imp0rtp3.wordpress.com/tag/router/" rel="tag">router</a>, <a href="https://imp0rtp3.wordpress.com/tag/sowat/" rel="tag">sowat</a></span>		</div><!-- .meta-info -->
			</header>

	
			<figure class="post-thumbnail">
				<img width="800" height="671" src="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=800" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" srcset="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg 800w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=768 768w" sizes="(max-width: 800px) 100vw, 800px" data-attachment-id="295" data-permalink="https://imp0rtp3.wordpress.com/2021/11/25/sowat/main_2-2/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg" data-orig-size="800,671" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="main_2" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-2-e1637865396748.jpg?w=750" />			</figure><!-- .post-thumbnail -->

		
	<div class="entry-content">
		
<h1 id="executive-summary">Executive Summary</h1>



<ul class="has-large-font-size" style="line-height:1.6;"><li>APT31 is long known to use Operational Relay Boxes (ORBs) and compromise routers.</li><li>This report examines in detail their only publicly known router implant, dubbed &#8220;SoWaT&#8221;</li><li>The implant is capable to function as RAT, a tunnel and a proxy.</li><li>Extensive verification and double-encryption procedures signal a TA trying to evade even the most capable defender</li><li>The implant&#8217;s code reveals a long development history, most likely over several years</li></ul>



<h1 id="introduction">Introduction</h1>



<h3 id="apt31">APT31</h3>



<p><a rel="noreferrer noopener" href="https://malpedia.caad.fkie.fraunhofer.de/actor/apt31" target="_blank">APT31</a>, aka Zirconium, is an interesting Chinese threat actor, operating almost separately  any other Chinese TA. The group is targeting various types of targets of interest to the Chinese government. Notably, the group has been subject to several governmental attribution statements, including Germany, France, Norway, Australia. </p>



<figure class="wp-block-image alignwide size-large"><img data-attachment-id="252" data-permalink="https://imp0rtp3.wordpress.com/image1/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg" data-orig-size="1564,440" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="image1" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=1024" alt="" class="wp-image-252" srcset="https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg?w=768 768w, https://imp0rtp3.files.wordpress.com/2021/11/image1.jpg 1564w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>APT31 Timeline, taken with permission from sekoia.io</figcaption></figure>



<p>Sekoia published on the 10/11/21 a great <a rel="noreferrer noopener" href="https://info.sekoia.io/hubfs/%5BMarketing%5D%20-%20Ebook-analyse/BRINT%20APT31.pdf" target="_blank">report</a> expanding on previous report by the French ANSSI, The timeline above was copied with permission from them. </p>



<p>It is long known that APT31 is using ORBs (Operational Relay Boxes) for their network operations, specifically hacked routers. Still, there is no public research into how they are operate those ORBs. With this reports I try to shed some light into the groups capabilities on network devices and potential detection and prevention options. <br></p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="285" data-permalink="https://imp0rtp3.wordpress.com/capture-1/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png" data-orig-size="697,128" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="capture-1" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png?w=697" src="https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png?w=697" alt="" class="wp-image-285" srcset="https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png 697w, https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/capture-1.png?w=300 300w" sizes="(max-width: 697px) 100vw, 697px" /><figcaption>SoWaT checking how far off the clock is</figcaption></figure></div>



<h3 id="sowat">SoWaT</h3>



<p>The implant, I dubbed &#8220;SoWaT&#8221; because of its use of the custom file called &#8220;swt&#8221;, is an ELF file for 32-bit MIPS based processors. According to the research done by Sekoia, it was most likely used for Pakedge routers, as they represent the vast majority of attacked routers and often run a Linux based OS on MIPS32 processors. </p>



<p>The implant was first mentioned in a <a rel="noreferrer noopener" href="https://twitter.com/billyleonard/status/1417910729005490177" target="_blank">tweet</a> by <a rel="noreferrer noopener" href="https://twitter.com/billyleonard" target="_blank">billy leonard</a> as a router implant found by google TAG team and was attributed to APT 31. Sekoia reaffirmed that attribution in their report.<br><br>According to the upload time (Nov. 2019) and compilation information of the sample, it was most likely compiled during the fist half of 2019. The compilation used the February 2019 version of cross-compilation tool <a rel="noreferrer noopener" href="https://buildroot.org/" target="_blank">Buildroot</a>. </p>



<h1 id="execution-flow-1">Execution Flow</h1>



<figure class="wp-block-image alignwide size-large is-style-default"><img data-attachment-id="267" data-permalink="https://imp0rtp3.wordpress.com/main_2-1/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg" data-orig-size="3424,2872" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="main_2-1" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=1024" alt="" class="wp-image-267" srcset="https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=2048 2048w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/main_2-1.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h3 id="tls-server-and-client">TLS Server and Client</h3>



<p>SoWaT communicates with the attacker using TLS, where it can function as a client or as a server, If the implant has a command line argument it start a server on the port given. Regardless of that, it tries to connect to a list of servers specified in its encrypted configuration (See <a href="#configuration">Configuration File</a>) every hour.  <br>Some functions of the implant can only be run if the implant is in server mode. </p>



<p>In both modes, the implant uses certificates and keys parsed from &#8220;swt&#8221; (See <a href="#swt">swt</a>). The CA keys to the chain to authenticate the attacker and uses the public and private key for its own. </p>



<p>When SoWaT works as server, it sends a Client certificate request, accepting only connections  client certificates by the CA from &#8220;swt&#8221;.<br>If it attempts to connect as client, it expects the server to send a client certificate request and in response it verifies itself using the private key in &#8220;swt&#8221;</p>



<p>All components of the TLS connection are implemented by the popular library mbedtls. The specific settings of SoWaT cause the connection to have a unique JA3 and JARM signature, see <a href="#iocs">IOCs</a>.</p>



<h3 id="command-loop">Command Loop</h3>



<p>Interestingly, The main execution function of SoWat isn&#8217;t exclusively used to execute command from the attacker but also called from withing the implant itself. This way complicates understanding . Functions in bold are function which were most likely intended to be used by the attacker.</p>



<p>After the TLS connection is successful, SoWaT waits for commands. <br>Any message needs to have the following basic structure: </p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="241" data-permalink="https://imp0rtp3.wordpress.com/basic_msg/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg" data-orig-size="2264,468" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="basic_msg" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=1024" alt="" class="wp-image-241" srcset="https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=2048 2048w, https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/basic_msg.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption>Command Message Univerval Structure</figcaption></figure></div>



<p>All Network protocol structures from here forward are in big endian.</p>



<p>According to the Message size, the implant allocates data and waits for all the data before executing the command.<br>The are 16 possible commands:</p>



<figure class="wp-block-table is-style-stripes"><table><tbody><tr><td>Function num.</td><td>Description</td></tr><tr><td>0</td><td>connect to  the servers detailed in the configuration</td></tr><tr><td>1</td><td>Unkown, most likely internal functions</td></tr><tr><td>2</td><td>Unkown, most likely internal functions</td></tr><tr><td><strong>3</strong></td><td>Connect to new server with new certificate</td></tr><tr><td>4</td><td>Unkown, most likely internal functions</td></tr><tr><td><strong>5</strong></td><td>start proxy functions</td></tr><tr><td><strong>6</strong></td><td>query proxy port</td></tr><tr><td><strong>7</strong></td><td>run RAT</td></tr><tr><td><strong>8</strong></td><td>reconnect again to Servers in configuration </td></tr><tr><td><strong>10</strong></td><td>Write current connection IPs to &#8220;config&#8221; file</td></tr><tr><td><strong>11</strong></td><td>Get information about all current TLS connections</td></tr><tr><td>12</td><td>Unkown,  likely internal functions</td></tr><tr><td>13</td><td>Unkown,  likely internal functions</td></tr><tr><td>15</td><td>Update Count of hours without connection</td></tr><tr><td><strong>16</strong></td><td>Exit process</td></tr><tr><td><strong>17</strong></td><td>If functions as server, delete all and exit process</td></tr></tbody></table></figure>



<p>Functions in bold are also called by the implant itself.</p>



<p>This command switch place can be confusing, as it combines both function called by the implant for itself and also function that can be called by the attacker. Moreover, some of the function seem to be largely overlapping, most likely because of code added in different parts of the development. The RAT and Proxy functions have their own section, I will describe here other notable functions:</p>



<h5 id="function-3">Function 3</h5>



<p>The function expects a buffer containing 482-byte long chunks of data detailing a connection to initiate, with the following structure:</p>



<figure class="wp-block-image size-large"><img data-attachment-id="234" data-permalink="https://imp0rtp3.wordpress.com/dorothy_3/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg" data-orig-size="2856,544" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="dorothy_3" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=1024" alt="" class="wp-image-234" srcset="https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=2048 2048w, https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/dorothy_3.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h5 id="function-15">Function 15</h5>



<p>The function is called hourly by the implant. It checks whether there were any successfull connections to the implant in the last 24 hours and if there weren&#8217;t it calls Function 17.  It is unlikely that the function is intended to be called by the attacker directly.</p>



<h5 id="function-17">Function 17</h5>



<div class="wp-block-columns">
<div class="wp-block-column is-vertically-aligned-center" style="flex-basis:100%;">
<p>This killswitch tries to delete any artifact of the malware: it deletes the entrie current working directory and runs swt to revert any opened ports.</p>
</div>
</div>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="229" data-permalink="https://imp0rtp3.wordpress.com/delete_cwd/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png" data-orig-size="303,242" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="delete_cwd" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png?w=303" src="https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png?w=303" alt="" class="wp-image-229" srcset="https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png 303w, https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/delete_cwd.png?w=300 300w" sizes="(max-width: 303px) 100vw, 303px" /></figure></div>



<h2 id="rat">RAT</h2>



<figure class="wp-block-table is-style-stripes"><table><tbody><tr><td>Function num.</td><td>explanation</td></tr><tr><td>0</td><td>Execute command, send output back (&#8220;exc_cmd&#8221;)</td></tr><tr><td>1</td><td>Change IP of server</td></tr><tr><td>2</td><td>Write file &#8220;$(CWD)/s&#8221;  </td></tr><tr><td>3, 5</td><td>Add IP to configuration and reconnect to that file</td></tr><tr><td>4</td><td>Delete all files and exit</td></tr><tr><td>6</td><td>Write to file path chosen by the attacker</td></tr><tr><td>7</td><td>Add IP to configuration and write file</td></tr><tr><td>8</td><td>read file</td></tr></tbody></table></figure>



<p>As you can see, the functions are quite simple. Of some interest is function 2, which writes to a file named &#8220;s&#8221; in the current working directory. I have not seen any other reference to that file</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="221" data-permalink="https://imp0rtp3.wordpress.com/popen/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/popen.png" data-orig-size="611,593" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="popen" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/popen.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/popen.png?w=611" src="https://imp0rtp3.files.wordpress.com/2021/11/popen.png?w=611" alt="" class="wp-image-221" srcset="https://imp0rtp3.files.wordpress.com/2021/11/popen.png 611w, https://imp0rtp3.files.wordpress.com/2021/11/popen.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/popen.png?w=300 300w" sizes="(max-width: 611px) 100vw, 611px" /><figcaption>Function number 2</figcaption></figure></div>



<h4 id="rat-messages">RAT messages</h4>



<p>When SoWat receives a RAT message, it first checks if it&#8217;s the server or the client in the connection. if it&#8217;s the client it skips the verification, if it functions as a server it does require verification. </p>



<p>This is the message fromat for the verification:</p>



<figure class="wp-block-image size-large"><img data-attachment-id="239" data-permalink="https://imp0rtp3.wordpress.com/rat_comm/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg" data-orig-size="3268,536" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="rat_comm" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=1024" alt="" class="wp-image-239" srcset="https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=2048 2048w, https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/rat_comm.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p>The verification process occurs as follows:</p>



<ol><li>Check whether the Signed checksum was signed with the Private key of the Client certificate</li><li>Calculate the <a rel="noreferrer noopener" href="http://www0.cs.ucl.ac.uk/staff/d.jones/crcnote.pdf" target="_blank">CRC64 Jones checksum</a> of the command data,</li><li>Compare the message checksum to the CRC64 checksum it calculated.</li></ol>



<p>Only if the message is verified the command is ran,</p>



<h2 id="proxy">Proxy</h2>



<p>SoWaT can function in two different proxy modes:<br><strong>1. Attacker &lt;-&gt; Attacker</strong><br><strong>2. Attacker &lt;-&gt; Victim <br></strong><br>The names of the modes comes only from reversing their internal logic and and analysis of potential uses. While the Attacker &lt;-&gt; Victim mode is quite clear, the Attacker &lt;-&gt; Attacker mode is complicated and it is possible that its purpose is different, though it still works in the way detailed below.. <br>In both modes, the command data needs to to be encrypted using the private key of the client (which it also used to verify itself in the TLS handshake). </p>



<p>The command data, before encryption, is structured in this way:</p>



<figure class="wp-block-image size-large"><img data-attachment-id="228" data-permalink="https://imp0rtp3.wordpress.com/proxy_conn_struct-1/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg" data-orig-size="2396,464" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="proxy_conn_struct-1" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=1024" alt="" class="wp-image-228" srcset="https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=2045 2045w, https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/proxy_conn_struct-1.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p>I have written a script which can connect to SoWaT and perform as both sides of the proxy, See <a href="#script">Scripts</a>.</p>



<h4 id="attacker-victim-proxy">Attacker &lt;-&gt; Victim Proxy</h4>



<figure class="wp-block-image alignwide size-large"><img data-attachment-id="291" data-permalink="https://imp0rtp3.wordpress.com/proxy1-1/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg" data-orig-size="3868,3316" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="proxy1-1" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=1024" alt="" class="wp-image-291" srcset="https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=1024 1024w, https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=2048 2048w, https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=300 300w, https://imp0rtp3.files.wordpress.com/2021/11/proxy1-1.jpg?w=768 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<ol><li>The Attacker connects to SoWaT with TLS and client certificate validation</li><li>The Attacker send a proxy initiation command, with the relevant data (encrypted):<ol><li>Attacker proxy listening port port and IP</li><li>32 byte ChaCha Key to encrypt communication later.</li></ol></li><li>SoWat initiates a raw <strong>unencrypted</strong> TCP socket with the attacker according to the data it got in the proxy command. The attacker sends back the victim connection port and attacker listening port.</li><li>A malicious program, running on a victim attempts to connect to its server. Its server IP is the SoWaT&#8217;s address. As soon as it initiates a TCP session with the implant, the implant initiates a <strong>new </strong>TCP session with the attacker. <br>The malware encrypts the TCP data from the victim before forwarding it to the attacker and decrypts the data from the attacker before forwarding to the victim. The data is encrypted using the ChaCha Key set by the attacker in step 2.</li><li>Step 4 can happen simultaneously with up to 5 victims, where each victim prompts the ORB to create a new session with the attacker.   </li></ol>



<p>It is important to note that steps 3 onward are not necessarily with the same attacker as steps 1,2. The attacker of steps 3 onward needs only to know at what port to listen to SoWaT.  </p>



<h4 id="attacker-attacker-proxy">Attacker &lt;-&gt; Attacker Proxy</h4>



<figure class="wp-block-image alignwide size-full"><img data-attachment-id="290" data-permalink="https://imp0rtp3.wordpress.com/proxy2_2-2/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy2_2-2.jpg" data-orig-size="3692,3720" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="proxy2_2-2" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy2_2-2.jpg?w=298" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/proxy2_2-2.jpg?w=750" src="https://imp0rtp3.files.wordpress.com/2021/11/proxy2_2-2.jpg" alt="" class="wp-image-290" /></figure>



<ol><li>Attacker 1 (A1) connects to SoWaT with TLS and client certificate validation</li><li>A1 send a proxy initiation command, with the relevant data (encrypted):<ol><li>A2 proxy listening port  and IP</li></ol></li><li>SoWaT connects to Attacker 2 (A2) using TLS and sends its client certificate.</li><li>SoWaT sends A2 the port for the next stage.</li><li>A2 sends command 6 to SoWaT, which prompts the implant to send A1 its stage 1 port.</li><li> Both attackers initiate a TCP connection with SoWat each with the destination ports the implant assigned them<ol><li>A1 sends command to run stage to the implant, which prompts it to send A2 its stage 2 port</li></ol></li><li>A2 sends the ORB a command to send A1 its stage 2 port</li><li>A1 initiates a TCP connection with its stage 2 port and sends two bytes: {02 00} in order to signal the implant to move forward with this stage.</li><li>A1 initiates a <strong>new </strong>TCP connection to the same port as in step 8. A2 initiates a TCP connection to the stage2 port it has been given</li><li>The attackers can communicate with each other through the sockets, and SoWaT servers as a proxy (without encryption).</li></ol>



<p>As In the previous mode, steps 6 onwards can be done by a third attacker and do not need necessarily to continue with A1 which initiaited the proxy command.</p>



<h4 id="but-why-so-complicated">But why so complicated?</h4>



<p>I do not have a definite answer as to why the proxy intiation process is so complicated, expecially the attacker &lt;-&gt; attacker mode. Two Hyptotheses:</p>



<ol><li><strong>Defense &amp; SIGINT evasion</strong><ol><li>Because of the difficult process until finally able to use the proxy, it is much harder for defendersn proactive hunter or anyone wandering in the internet to use it or exfiltrate attackers&#8217; data this way.</li><li>Finding open ports is becoming irelevant as even if the first port used by the attacker is always the same it is open for a very short time, and the other ports are then random</li><li>When having a lot of data, it is harder for some man in the middle to parse every paket to understand what the final proxy port is, which can make it more complicate to capture the relevant attacker traffic.</li></ol></li><li><strong>Compatability and legacy &#8211; </strong>It&#8217;s possible it was easier for the developers to keep in place old code and to just wrap it with their additions, as it does not have any substantial impact on efficiency.</li></ol>



<h2 id="additional-findings">Additional Findings</h2>



<h3 id="the-implant-file">The Implant File</h3>



<p>The implant, available on Virustotal, is an ELF file compiled for the MIPS processor architecture. The ELF is statically linked, with the libraries uClibc, libec, mbedtls, libc-ares and potentially others. While the code is in no matter obfuscated, the stripped binary complicates reversing.</p>



<h4 id="configuration">Configuration File</h4>



<p>SoWaT assumes a  configuration file encrypted using ChaCha20 protocol named &#8220;conf&#8221; in its current working directory. The file needs to be exactly 386 bytes long, and constructed in this way:</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="204" data-permalink="https://imp0rtp3.wordpress.com/conf-drawio/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png" data-orig-size="658,96" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="conf.drawio" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png?w=658" src="https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png?w=658" alt="" class="wp-image-204" srcset="https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png 658w, https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/conf.drawio.png?w=300 300w" sizes="(max-width: 658px) 100vw, 658px" /></figure></div>



<p><strong>Nonce</strong> &#8211; Some 12-byte random value which serves as salt for the chacha20 encryption. See <a rel="noreferrer noopener" href="https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant" target="_blank">ChaCha</a>. <br><strong>Buffer size</strong> &#8211; size of the entire structure, in big endian.</p>



<p>The Configuration is decrypted using the following hard-coded key:</p>



<pre class="wp-block-code"><code>53 14 3D 23 94 78 A9 68 2F 68 C9 A2 1A 93 3C 5B 39 52 2D 1D E0 63 59 1C 30 44 A2 6A 2A 3F A2 95</code></pre>



<p>There are up to 10 IP,Port couples, which represent each an attacker-controlled server the implant may try to connect to. <br>The structure of the configuration is probably due to compatibility reasons. it is possible that the first 260 bytes were once used to sign the configuration, as that exact buffer length is used in other places for verification.</p>



<h3 id="swt">The &#8220;swt&#8221; file</h3>



<p>The implant depends on a file named &#8220;swt&#8221; located also in the current working diretory. <br>I am not in possesion of that file but from examining SoWaT&#8217;s use of it is clear It contains a CA certificate, and a signed server certificate and private key. Moreover, it&#8217;s also an executable file. From context, it has likely some functionality which opens ports in the router&#8217;s firewall or changes its routing so to allow SoWaT to listen to incoming connections in a custom set port.</p>



<h4 id="how-sowat-listens">How SoWaT listens </h4>



<p>In order to open a listening socket the implant has a specific procedure: <br></p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="213" data-permalink="https://imp0rtp3.wordpress.com/swt_thing/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png" data-orig-size="629,487" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="swt_thing" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png?w=629" src="https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png?w=629" alt="" class="wp-image-213" srcset="https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png 629w, https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/swt_thing.png?w=300 300w" sizes="(max-width: 629px) 100vw, 629px" /><figcaption>Setup of socket</figcaption></figure></div>



<ol><li>It creates a basic socket object (AF_INET, SOCK_DGRAM)</li><li> It sets the option SO_REUSEADDR to true.<ol><li>SO_REUSEADDR allows other processes to create another socket listening on the same port.</li></ol></li><li>The socket is bound to an open port or to a port directed by the function caller </li><li> &#8220;./swt port &lt;bound port&gt;&#8221; is executed as a child process<ol><li>This behavior indicated that the &#8220;swt&#8221; executable most likely has some ability to alter the firewall or forwarding table of the router.</li></ol></li></ol>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="215" data-permalink="https://imp0rtp3.wordpress.com/swt_port/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png" data-orig-size="523,176" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="swt_port" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png?w=523" src="https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png?w=523" alt="" class="wp-image-215" srcset="https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png 523w, https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/swt_port.png?w=300 300w" sizes="(max-width: 523px) 100vw, 523px" /></figure></div>



<h4 id="dead-code">Dead Code</h4>



<p>The implant contains a lot of dead code, which bears resemblance to the malicious code ran. Most likely, this code was used in a previous version of the implant and was included because of compilation flags.</p>



<div class="wp-block-image"><figure class="aligncenter size-large"><img data-attachment-id="218" data-permalink="https://imp0rtp3.wordpress.com/old_log/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/old_log.png" data-orig-size="526,368" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="old_log" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/old_log.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/old_log.png?w=526" src="https://imp0rtp3.files.wordpress.com/2021/11/old_log.png?w=526" alt="" class="wp-image-218" srcset="https://imp0rtp3.files.wordpress.com/2021/11/old_log.png 526w, https://imp0rtp3.files.wordpress.com/2021/11/old_log.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/old_log.png?w=300 300w" sizes="(max-width: 526px) 100vw, 526px" /><figcaption>Unused Logging function</figcaption></figure></div>



<p>The implants&#8217; function and architecture show a comprehensive and advanced codebase, relying on many custom structs, and running different tasks simultaneously.</p>



<p>The implant contains very few custom strings, which is quite unusual in router malware, whose developers are less afraid of detection and analysis.<br>The appearance of strings in an unsystematic way, and the use of status codes may hint that the threat actor has been detected and analyzed in the past and changed their implant to avoid detection.</p>



<h3 id="execution-path">Execution Path</h3>



<p>The implant doesn&#8217;t give any direct hint to how it was executed. Upon deeper inspection, the string &#8220;Usage : ntpclient destination&#8221; stands out. which is referenced by a basic print_usage function. This function is never called. Most likely, it is an artifact left by accident by the Threat actor. <br>The executable lacks the functionality of every <a rel="noreferrer noopener" href="https://timetoolsltd.com/ntp/ntp-client/" target="_blank">ntpclient</a>, i.e. setting the time on the machine, so it was not possible for the implant to masquerade as a that.<br> It is possible that previous versions of the binary replaced the original ntpclient and so would be started as a daemon, running ntpclient functionality along the malicious functionality. Alternatively, is is possible that the executable was just named ntpclient and the Usage was there to try make it look legitimate to a suspecting IT technician.</p>



<figure class="wp-block-image size-large"><img data-attachment-id="217" data-permalink="https://imp0rtp3.wordpress.com/ntp/" data-orig-file="https://imp0rtp3.files.wordpress.com/2021/11/ntp.png" data-orig-size="608,99" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="ntp" data-image-description="" data-image-caption="" data-medium-file="https://imp0rtp3.files.wordpress.com/2021/11/ntp.png?w=300" data-large-file="https://imp0rtp3.files.wordpress.com/2021/11/ntp.png?w=608" src="https://imp0rtp3.files.wordpress.com/2021/11/ntp.png?w=608" alt="" class="wp-image-217" srcset="https://imp0rtp3.files.wordpress.com/2021/11/ntp.png 608w, https://imp0rtp3.files.wordpress.com/2021/11/ntp.png?w=150 150w, https://imp0rtp3.files.wordpress.com/2021/11/ntp.png?w=300 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>



<p>In the directory the implant is run from 2 files are expected:<br>&#8220;swt&#8221;<br>&#8220;conf&#8221;</p>



<p>When a kill command is sent, the malware deletes its entrie current working directory, this means that it&#8217;s likely the attacker dedicate an empty or new folder for their implant</p>



<h2 id="detection">Detection</h2>



<ol><li>Check for processes with suspicious names or running from unusual paths.</li><li>I have written YARA rules to detect both unique string and code of the implant, available on <a rel="noreferrer noopener" href="https://github.com/imp0rtp3/yara-rules/blob/main/2021-11-25%20SoWaT/sowat.yar" target="_blank">my github</a></li></ol>



<h4 id="av-detection">AV Detection</h4>



<p>As of the time of this writing, the original  implant sample was detected by 33 out of 61 AV engines in VT.</p>



<p>Uploading the same sample, with some strings deleted, but fully functional yielded very different results: only 6 AV vendors detected most of these samples.<br>Essentialy, this means all but the 6 AV vendors are highly unlikely to detect the next SoWaT implant if uploaded to VT. </p>



<figure class="wp-block-table"><table><tbody><tr><td>num.</td><td>1</td><td>2</td><td>5</td><td>4</td><td>5</td></tr><tr><td>detection</td><td>6</td><td>8</td><td>6</td><td>6</td><td>18</td></tr><tr><td>change</td><td>changed most strings</td><td>removed only unused strings</td><td>removed all unique strings</td><td>removed all unique strings and encryption key</td><td>change file hash by appending some bytes</td></tr><tr><td>link</td><td><a href="https://www.virustotal.com/gui/file/59e2a0b708b79508954a2b0234c37b49c76e8f5afad8575706142aaceb3a3b84?nocache=1" target="_blank" rel="noreferrer noopener">link</a></td><td><a href="https://www.virustotal.com/gui/file/d2a6597e38513e8a5fea1d7a457b8f3eb8445d3e6cf68cb6bff39716328ad191?nocache=1" target="_blank" rel="noreferrer noopener">link</a></td><td><a href="https://www.virustotal.com/gui/file/1b300d30a44fd4245ffa0df1e943fc9c5d2046f043dc19586a2663a83c526336?nocache=1" target="_blank" rel="noreferrer noopener">link</a></td><td><a href="https://www.virustotal.com/gui/file/50809fc28aeefe6c4e1c50fa435a54eade3b747405b9aeabed506d7f2d6f172b?nocache=1" target="_blank" rel="noreferrer noopener">link</a></td><td><a href="https://www.virustotal.com/gui/file/0cb509a43795a9cb881b8d72b4f62ed7ba5165884688bdeeece1ac84536a31c0?nocache=1" target="_blank" rel="noreferrer noopener">link</a></td></tr></tbody></table></figure>



<p>The 6 AVs that have shown consistent detections are (in alphabetical order):</p>



<ul><li>AhnLab</li><li>DrWeb</li><li>ESET</li><li>Jiangmin</li><li>Kaspersky</li><li>Zillya</li></ul>



<p>It is important to note that checking if an AV detect a file in VT does not mean whether an AV is good or bad, as in real network AVs detect activity based on many other indicator and not just files. <br>Nevertheless, this comparison is important in my opinion, especially regarding router malware. it&#8217;s common that no AV is installed on the network device and to check a suspicious file one can only upload the file to VT or to their own AV portal. </p>



<h2 id="prevention">Prevention</h2>



<p>The NSA has <a rel="noreferrer noopener" href="https://media.defense.gov/2020/Aug/18/2002479461/-1/-1/0/HARDENING_NETWORK_DEVICES.PDF" target="_blank">published in 2020</a> a great resource detailing how to harden network devices </p>



<h2 id="conclusions">Conclusions</h2>



<h4 id="development-timeline">Development timeline</h4>



<p>I can assess with high confidence that SoWaT has had several developmental builds before, for the following reasons:</p>



<ol><li>Dead code: Most likely because of a wrong compilation flag the implant contains a lot of dead code, which has a striking resemblance to code that is actually used by the implant. I believe this indicates previous build of the threat actor where they formulated and changed the body of their build.</li><li>Overlap in functionality: both the RAT and command switcher have function which do almost the same, in a different manner. It is most likely because of backward compatibility. </li><li>Unnecessary complex code: The code contains a lot of structures and sub-functions which seem to indicate features that were added later to the codebase.</li></ol>



<h4 id="targets">Targets</h4>



<p>It is likely that SoWaT is also deployed to other router vendors or linux based servers:</p>



<ol><li>The implant  expects all incoming communication to be formatted as big endian. This does seem a little strange considering that most likely the attacker is also working on a little-endian based computer. It&#8217;s possible that the attacker used that for comfort reasons, but another reason could be that the communication protocols were initially written for a big-endian devices.</li><li>The implant is fully system-independent and could be run on any linux kernel. The OS dependent part is most likely in the &#8220;swt&#8221; binary, which changes the firewall of the specific device. The separation between OS-dependent and OS-independent executables does hint that the independent executable is also ran elsewhere.</li></ol>



<h4 id="verification-and-encryption">Verification and Encryption</h4>



<p>Throughout the research of the sample it is clear that the developers paid much attention to encryption and verification. Several remarks on that:</p>



<ol><li>The implant does not use AES at all and uses only ChaCha for symmetric encryption. That is not only true for the configuration and proxy, but also its TLS supports only one ciphersuite (TLS_DCDHE_RSA_WITH_CHACHA20_POLY1305_SHA256). Most likely, it means the developers deliberately compiled the executable without any AES support. This could be for reasons of efficiency (ChaCha tends to be faster), but also possible that they trust ChaCha to be more secure than AES.</li><li>The usage of verification and encryption even though TLS is used cannot be explained as an old procedure used before the developers used TLS, because the encryption and verification rely on Client certificate only available throught the TLS handshake. Two other possible explanations are:<ol><li>The attackers do not trust the TLS protocol so they try additional security measures</li><li>Previously a 3rd party successfully did a MiTM attack using a cracked or stolen attacker CA certificate stolen from the attackers. encrypting or verfying data with the client certificate private key makes it difficult for the 3rd party to do that again. </li></ol></li></ol>



<h2 id="summary">Summary</h2>



<ol><li>While certainly far from the only router implant, SoWaT underlines that threat actors move to commercially available tools (such as cobalt strike) where it fits them, but do not stop in-house development and research where needed. The fact that the implant was likely developed over multiple years underlines that it is likely not to be thrown away easily. </li><li> Routers are detection and prevention-wise almost a black hole. The fact that the compromised routers operate as ORBs and  most of the time do not harm the organization to whom the router belongs makes prevention and detection even more complicated. Shedding more light and discourse into these may help in developing and distributing more detection and prevention options.    </li><li>This research is far from complete. Any researchers with questions or information are welcome to contact me, and I&#8217;ll be happy to share the IDA database and any other relevant data.</li></ol>



<h2 id="appendix-a-iocs">APPENDIX A &#8211; IOCs</h2>



<p><strong>SHA256</strong><br>1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2 (<a rel="noreferrer noopener" href="https://www.virustotal.com/gui/file/1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2/detection" target="_blank">VT</a>)</p>



<p><strong>File names</strong><br>swt<br>s<br>conf<br>log</p>



<p><strong>JA3</strong>     &#8211; e1f787e2b6ec64bf23157522c2e8073d<br><strong>JARM</strong> &#8211; 3fd3fd0003fd3fd0003fd3fd3fd3fd755a2cec4b52fb1bce1ac7f1e48c8a7d</p>



<h2 id="scripts">APPENDIX B &#8211; Scripts</h2>



<ul><li><a rel="noreferrer noopener" href="https://github.com/imp0rtp3/Research/blob/master/2021-11-25%20SoWaT/run_proxy.py" target="_blank">Proxy Communication Simulation</a></li><li><a rel="noreferrer noopener" href="https://github.com/imp0rtp3/Research/blob/master/2021-11-25%20SoWaT/create_conf.py" target="_blank">Configuration creator</a></li><li><a rel="noreferrer noopener" href="https://github.com/imp0rtp3/Research/blob/master/2021-11-25%20SoWaT/create_certs.sh" target="_blank">Basic Openssl certificates creator</a></li><li><a rel="noreferrer noopener" href="https://github.com/imp0rtp3/Research/blob/master/2021-11-25%20SoWaT/create_swt.sh" target="_blank">Mock swt creator</a> (depends on certificates)</li></ul>



<h2 id="appendix-c-internal-structures">APPENDIX C &#8211; Internal Structures</h2>


<div class="wp-block-syntaxhighlighter-code "><pre class="brush: cpp; title: ; notranslate" title="">
struct sowat_info{
	DWORD current command_num;
	DWORD calling_method;
	union message{
	 * char client_response;
	 * char server_response;
	};
	union message_len{
	 DWORD client_response_len;
	 DWORD server_response_len;
	};
	char client_public_key&#91;460];
	* global_connection_infromation global_connection_infromation;
	DWORD unknown; // initiated as -1
	DWORD sock_fd_read;
	* char connection_init_msg;
	* client_to_server client_to_server;
	* void command_run(sowat_info * sowat_info); 
};


struct cert_info
{
	* void unknown;
	* mbedtls_x509_crt mbedtls_x509_crt_in_connection;
	* mbedtls_pk_context mbedtls_pk_context_in_connection;
};

struct global_connection_infromation
{
	* internal_conn_info internal_conn_info;
	* DICT known_public_keys;
	* cert_info cert_info;
	* char decrypted_configuration;
	* ev_loop main_loop;
	DWORD time_delta; // delta between global time and machine time
	DWORD hours_counter;
};

struct internal_conn_info
{
	QWORD pk_crc64_jones;
	DWORD connection_ip;
	WORD connection_port;
	DWORD unknown; //set to 12
	DWORD time_of_conn_init;
	char public_key&#91;460];
};

struct proxy {
	BYTE prx_command;
	DWORD fd_socket_0;
	DWORD fd_socket_1;
	DWORD unknown;
	DWORD tls_server_IP;
	WORD socket_2_1_port;
	WORD socket_0_port;
	WORD socket_1_port;
	WORD socket_2_0_port;
	char chacha_encryption_key&#91;32];
	* ev_io prx_cb_1;
	* ev_io prx_0_cb0;
	DWORD fd_socket_prx_1;
	DWORD time_last_recv_pack1;
	DWORD time_last_recv_pack2;
	DWORD time_last_recv_pack3;
	* ev_loop prx_ev_loop;
	WORD prx_2_listen_port;
	DICT used_ports;
	QWORD unknown;
	WORD socket_1_port;
	DICT unknown;
};


struct DICT{
	void * djb2_hashtable;
	DWORD num_keys;
};

struct dict_hash_obj{
	DWORD djb2; // djb2 hash
	* void value;
	* dict_hash_obj next;
	char key&#91;4];
};

</pre></div><div id="atatags-370373-61c515db10f0b">
        <script type="text/javascript">
            __ATA.cmd.push(function() {
                __ATA.initVideoSlot('atatags-370373-61c515db10f0b', {
                    sectionId: '370373',
                    format: 'inread'
                });
            });
        </script>
    </div>			<div id="atatags-26942-61c515db11002"></div>
			
			<script>
				__ATA.cmd.push(function() {
					__ATA.initDynamicSlot({
						id: 'atatags-26942-61c515db11002',
						location: 120,
						formFactor: '001',
						label: {
							text: 'Advertisements',
						},
						creative: {
							reportAd: {
								text: 'Report this ad',
							},
							privacySettings: {
								text: 'Privacy',
								onClick: function() { window.__tcfapi && window.__tcfapi( 'showUi' ); },
							}
						}
					});
				});
			</script><div id="jp-post-flair" class="sharedaddy sd-like-enabled sd-sharing-enabled"><div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-183" class="share-twitter sd-button share-icon" href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/?share=twitter" target="_blank" title="Click to share on Twitter"><span>Twitter</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-183" class="share-facebook sd-button share-icon" href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/?share=facebook" target="_blank" title="Click to share on Facebook"><span>Facebook</span></a></li><li class="share-end"></li></ul></div></div></div></div>	</div><!-- .entry-content -->

	<footer class="entry-footer responsive-max-width">
		<span class="byline"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><path d="M12 12c2.21 0 4-1.79 4-4s-1.79-4-4-4-4 1.79-4 4 1.79 4 4 4zm0 2c-2.67 0-8 1.34-8 4v2h16v-2c0-2.66-5.33-4-8-4z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Posted by</span><span class="author vcard"><a class="url fn n" href="https://imp0rtp3.wordpress.com/author/cl3aver/">imp0rtp3</a></span></span><span class="posted-on"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><defs><path id="a" d="M0 0h24v24H0V0z"></path></defs><clipPath id="b"><use xlink:href="#a" overflow="visible"></use></clipPath><path clip-path="url(#b)" d="M12 2C6.5 2 2 6.5 2 12s4.5 10 10 10 10-4.5 10-10S17.5 2 12 2zm4.2 14.2L11 13V7h1.5v5.2l4.5 2.7-.8 1.3z"></path></svg><a href="https://imp0rtp3.wordpress.com/2021/11/25/sowat/" rel="bookmark"><time class="entry-date published" datetime="2021-11-25T19:23:15+01:00">November 25, 2021</time><time class="updated" datetime="2021-11-25T20:04:01+01:00">November 25, 2021</time></a></span><span class="cat-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V8c0-1.1-.9-2-2-2h-8l-2-2z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Posted in</span><a href="https://imp0rtp3.wordpress.com/category/uncategorized/" rel="category tag">Uncategorized</a></span><span class="tags-links"><svg class="svg-icon" width="16" height="16" aria-hidden="true" role="img" focusable="false" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21.41 11.58l-9-9C12.05 2.22 11.55 2 11 2H4c-1.1 0-2 .9-2 2v7c0 .55.22 1.05.59 1.42l9 9c.36.36.86.58 1.41.58.55 0 1.05-.22 1.41-.59l7-7c.37-.36.59-.86.59-1.41 0-.55-.23-1.06-.59-1.42zM5.5 7C4.67 7 4 6.33 4 5.5S4.67 4 5.5 4 7 4.67 7 5.5 6.33 7 5.5 7z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg><span class="screen-reader-text">Tags:</span><a href="https://imp0rtp3.wordpress.com/tag/apt31/" rel="tag">apt31</a>, <a href="https://imp0rtp3.wordpress.com/tag/malware/" rel="tag">malware</a>, <a href="https://imp0rtp3.wordpress.com/tag/router/" rel="tag">router</a>, <a href="https://imp0rtp3.wordpress.com/tag/sowat/" rel="tag">sowat</a></span>	</footer><!-- .entry-footer -->

				
</article><!-- #post-${ID} -->

	<nav class="navigation post-navigation" role="navigation" aria-label="Posts">
		<h2 class="screen-reader-text">Post navigation</h2>
		<div class="nav-links"><div class="nav-previous"><a href="https://imp0rtp3.wordpress.com/2021/08/12/tetris/" rel="prev"><span class="meta-nav" aria-hidden="true">Previous Post</span> <span class="screen-reader-text">Previous post:</span> <br/><span class="post-title">Uncovering Tetris &#8211; a Full Surveillance Kit Running in your&nbsp;Browser</span></a></div></div>
	</nav>
<div id="comments" class="comments-area responsive-max-width">

			<h2 class="comments-title">
			2 thoughts on &ldquo;<span>A Deep Dive Into SoWaT: APT31&#8217;s Multifunctional Router&nbsp;Implant</span>&rdquo;		</h2><!-- .comments-title -->

		
		<ol class="comment-list">
					<li id="comment-13" class="pingback even thread-even depth-1 highlander-comment">
			<div class="comment-body">
				Pingback: <a href='http://thisweekin4n6.com/2021/11/28/week-48-2021/' rel='external nofollow ugc' class='url'>Week 48 &#8211; 2021 &#8211; This Week In 4n6</a> 			</div>
		</li><!-- #comment-## -->
		<li id="comment-14" class="pingback odd alt thread-odd thread-alt depth-1 highlander-comment">
			<div class="comment-body">
				Pingback: <a href='https://badcyber.com/it-security-weekend-catch-up-november-28-2021/' rel='external nofollow ugc' class='url'>IT Security Weekend Catch Up – November 28, 2021 &#8211; BadCyber</a> 			</div>
		</li><!-- #comment-## -->
		</ol><!-- .comment-list -->

					<p class="no-comments">Comments are closed.</p>
			
</div><!-- #comments -->

		</main><!-- #main -->
	</section><!-- #primary -->


	</div><!-- #content -->

	
	<footer id="colophon" class="site-footer responsive-max-width">
			
	<aside class="widget-area responsive-max-width" role="complementary" aria-label="Footer">
		<section id="block-3" class="widget widget_block">
<ul class="wp-container-61c515db18f7d wp-block-social-links"><li class="wp-social-link wp-social-link-twitter wp-block-social-link"><a href="https://twitter.com/imp0rtp3" aria-label="Twitter: https://twitter.com/imp0rtp3"  class="wp-block-social-link-anchor"> <svg width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img" aria-hidden="true" focusable="false"><path d="M22.23,5.924c-0.736,0.326-1.527,0.547-2.357,0.646c0.847-0.508,1.498-1.312,1.804-2.27 c-0.793,0.47-1.671,0.812-2.606,0.996C18.324,4.498,17.257,4,16.077,4c-2.266,0-4.103,1.837-4.103,4.103 c0,0.322,0.036,0.635,0.106,0.935C8.67,8.867,5.647,7.234,3.623,4.751C3.27,5.357,3.067,6.062,3.067,6.814 c0,1.424,0.724,2.679,1.825,3.415c-0.673-0.021-1.305-0.206-1.859-0.513c0,0.017,0,0.034,0,0.052c0,1.988,1.414,3.647,3.292,4.023 c-0.344,0.094-0.707,0.144-1.081,0.144c-0.264,0-0.521-0.026-0.772-0.074c0.522,1.63,2.038,2.816,3.833,2.85 c-1.404,1.1-3.174,1.756-5.096,1.756c-0.331,0-0.658-0.019-0.979-0.057c1.816,1.164,3.973,1.843,6.29,1.843 c7.547,0,11.675-6.252,11.675-11.675c0-0.178-0.004-0.355-0.012-0.531C20.985,7.47,21.68,6.747,22.23,5.924z"></path></svg></a></li>

<li class="wp-social-link wp-social-link-github wp-block-social-link"><a href="https://github.com/imp0rtp3" aria-label="GitHub: https://github.com/imp0rtp3"  class="wp-block-social-link-anchor"> <svg width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img" aria-hidden="true" focusable="false"><path d="M12,2C6.477,2,2,6.477,2,12c0,4.419,2.865,8.166,6.839,9.489c0.5,0.09,0.682-0.218,0.682-0.484 c0-0.236-0.009-0.866-0.014-1.699c-2.782,0.602-3.369-1.34-3.369-1.34c-0.455-1.157-1.11-1.465-1.11-1.465 c-0.909-0.62,0.069-0.608,0.069-0.608c1.004,0.071,1.532,1.03,1.532,1.03c0.891,1.529,2.341,1.089,2.91,0.833 c0.091-0.647,0.349-1.086,0.635-1.337c-2.22-0.251-4.555-1.111-4.555-4.943c0-1.091,0.39-1.984,1.03-2.682 C6.546,8.54,6.202,7.524,6.746,6.148c0,0,0.84-0.269,2.75,1.025C10.295,6.95,11.15,6.84,12,6.836 c0.85,0.004,1.705,0.114,2.504,0.336c1.909-1.294,2.748-1.025,2.748-1.025c0.546,1.376,0.202,2.394,0.1,2.646 c0.64,0.699,1.026,1.591,1.026,2.682c0,3.841-2.337,4.687-4.565,4.935c0.359,0.307,0.679,0.917,0.679,1.852 c0,1.335-0.012,2.415-0.012,2.741c0,0.269,0.18,0.579,0.688,0.481C19.138,20.161,22,16.416,22,12C22,6.477,17.523,2,12,2z"></path></svg></a></li>

<li class="wp-social-link wp-social-link-mail wp-block-social-link"><a href="http://importpe@protonmail.com" aria-label="Mail: importpe@protonmail.com"  class="wp-block-social-link-anchor"> <svg width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img" aria-hidden="true" focusable="false"><path d="M20,4H4C2.895,4,2,4.895,2,6v12c0,1.105,0.895,2,2,2h16c1.105,0,2-0.895,2-2V6C22,4.895,21.105,4,20,4z M20,8.236l-8,4.882 L4,8.236V6h16V8.236z"></path></svg></a></li>

<li class="wp-social-link wp-social-link-chain wp-block-social-link"><a href="https://api.protonmail.ch/pks/lookup?op=get&#038;search=importpe@protonmail.com" aria-label="PGP"  class="wp-block-social-link-anchor"> <svg width="24" height="24" viewBox="0 0 24 24" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img" aria-hidden="true" focusable="false"><path d="M19.647,16.706a1.134,1.134,0,0,0-.343-.833l-2.549-2.549a1.134,1.134,0,0,0-.833-.343,1.168,1.168,0,0,0-.883.392l.233.226q.2.189.264.264a2.922,2.922,0,0,1,.184.233.986.986,0,0,1,.159.312,1.242,1.242,0,0,1,.043.337,1.172,1.172,0,0,1-1.176,1.176,1.237,1.237,0,0,1-.337-.043,1,1,0,0,1-.312-.159,2.76,2.76,0,0,1-.233-.184q-.073-.068-.264-.264l-.226-.233a1.19,1.19,0,0,0-.4.895,1.134,1.134,0,0,0,.343.833L15.837,19.3a1.13,1.13,0,0,0,.833.331,1.18,1.18,0,0,0,.833-.318l1.8-1.789a1.12,1.12,0,0,0,.343-.821Zm-8.615-8.64a1.134,1.134,0,0,0-.343-.833L8.163,4.7a1.134,1.134,0,0,0-.833-.343,1.184,1.184,0,0,0-.833.331L4.7,6.473a1.12,1.12,0,0,0-.343.821,1.134,1.134,0,0,0,.343.833l2.549,2.549a1.13,1.13,0,0,0,.833.331,1.184,1.184,0,0,0,.883-.38L8.728,10.4q-.2-.189-.264-.264A2.922,2.922,0,0,1,8.28,9.9a.986.986,0,0,1-.159-.312,1.242,1.242,0,0,1-.043-.337A1.172,1.172,0,0,1,9.254,8.079a1.237,1.237,0,0,1,.337.043,1,1,0,0,1,.312.159,2.761,2.761,0,0,1,.233.184q.073.068.264.264l.226.233a1.19,1.19,0,0,0,.4-.895ZM22,16.706a3.343,3.343,0,0,1-1.042,2.488l-1.8,1.789a3.536,3.536,0,0,1-4.988-.025l-2.525-2.537a3.384,3.384,0,0,1-1.017-2.488,3.448,3.448,0,0,1,1.078-2.561l-1.078-1.078a3.434,3.434,0,0,1-2.549,1.078,3.4,3.4,0,0,1-2.5-1.029L3.029,9.794A3.4,3.4,0,0,1,2,7.294,3.343,3.343,0,0,1,3.042,4.806l1.8-1.789A3.384,3.384,0,0,1,7.331,2a3.357,3.357,0,0,1,2.5,1.042l2.525,2.537a3.384,3.384,0,0,1,1.017,2.488,3.448,3.448,0,0,1-1.078,2.561l1.078,1.078a3.551,3.551,0,0,1,5.049-.049l2.549,2.549A3.4,3.4,0,0,1,22,16.706Z"></path></svg></a></li></ul>
</section>	</aside><!-- .widget-area -->


	
		<div class="site-info">
		<a class="site-name" href="https://imp0rtp3.wordpress.com/" rel="home">imp0rtp3</a><span class="comma">,</span>
<a href="https://wordpress.com/?ref=footer_custom_svg" title="Create a website or blog at WordPress.com" rel="nofollow"><svg style="fill: currentColor; position: relative; top: 1px;" width="14px" height="15px" viewBox="0 0 14 15" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-labelledby="title" role="img">
				<desc id="title">Create a website or blog at WordPress.com</desc>
				<path d="M12.5225848,4.97949746 C13.0138466,5.87586309 13.2934037,6.90452431 13.2934037,7.99874074 C13.2934037,10.3205803 12.0351007,12.3476807 10.1640538,13.4385638 L12.0862862,7.88081544 C12.4453251,6.98296834 12.5648813,6.26504621 12.5648813,5.62667922 C12.5648813,5.39497674 12.549622,5.17994084 12.5225848,4.97949746 L12.5225848,4.97949746 Z M7.86730089,5.04801561 C8.24619178,5.02808979 8.58760099,4.98823815 8.58760099,4.98823815 C8.9267139,4.94809022 8.88671369,4.44972248 8.54745263,4.46957423 C8.54745263,4.46957423 7.52803983,4.54957381 6.86996227,4.54957381 C6.25158863,4.54957381 5.21247202,4.46957423 5.21247202,4.46957423 C4.87306282,4.44972248 4.83328483,4.96816418 5.17254589,4.98823815 C5.17254589,4.98823815 5.49358462,5.02808979 5.83269753,5.04801561 L6.81314716,7.73459399 L5.43565839,11.8651647 L3.14394256,5.04801561 C3.52312975,5.02808979 3.86416859,4.98823815 3.86416859,4.98823815 C4.20305928,4.94809022 4.16305906,4.44972248 3.82394616,4.46957423 C3.82394616,4.46957423 2.80475558,4.54957381 2.14660395,4.54957381 C2.02852925,4.54957381 1.88934333,4.54668493 1.74156477,4.54194422 C2.86690406,2.83350881 4.80113651,1.70529256 6.99996296,1.70529256 C8.638342,1.70529256 10.1302017,2.33173369 11.2498373,3.35765419 C11.222726,3.35602457 11.1962815,3.35261718 11.1683554,3.35261718 C10.5501299,3.35261718 10.1114609,3.89113285 10.1114609,4.46957423 C10.1114609,4.98823815 10.4107217,5.42705065 10.7296864,5.94564049 C10.969021,6.36482346 11.248578,6.90326506 11.248578,7.68133501 C11.248578,8.21992476 11.0413918,8.84503256 10.7696866,9.71584277 L10.1417574,11.8132391 L7.86730089,5.04801561 Z M6.99996296,14.2927074 C6.38218192,14.2927074 5.78595654,14.2021153 5.22195356,14.0362644 L7.11048207,8.54925635 L9.04486267,13.8491542 C9.05760348,13.8802652 9.07323319,13.9089317 9.08989995,13.9358945 C8.43574834,14.1661896 7.73285573,14.2927074 6.99996296,14.2927074 L6.99996296,14.2927074 Z M0.706448182,7.99874074 C0.706448182,7.08630113 0.902152921,6.22015756 1.25141403,5.43749503 L4.25357806,13.6627848 C2.15393732,12.6427902 0.706448182,10.4898387 0.706448182,7.99874074 L0.706448182,7.99874074 Z M6.99996296,0.999 C3.14016476,0.999 0,4.13905746 0,7.99874074 C0,11.8585722 3.14016476,14.999 6.99996296,14.999 C10.8596871,14.999 14,11.8585722 14,7.99874074 C14,4.13905746 10.8596871,0.999 6.99996296,0.999 L6.99996296,0.999 Z" id="wordpress-logo-simplified-cmyk" stroke="none" fill=“currentColor” fill-rule="evenodd"></path>
			</svg></a>	</div><!-- .site-info -->
	</footer><!-- #colophon -->

</div><!-- #page -->

<!--  -->
<div id="marketingbar" class="marketing-bar noskim"><div class="marketing-bar-text">Create your website with WordPress.com</div><a class="marketing-bar-button" href="https://wordpress.com/start/?ref=marketing_bar">Get started</a><a class="marketing-bar-link" tabindex="-1" aria-label="Create your website at WordPress.com" href="https://wordpress.com/start/?ref=marketing_bar"></a></div><script src='//0.gravatar.com/js/gprofiles.js?ver=202151y' id='grofiles-cards-js'></script>
<script id='wpgroho-js-extra'>
var WPGroHo = {"my_hash":""};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/wp-content/mu-plugins/gravatar-hovercards/wpgroho.js?m=1610363240h'></script>

	<script>
		// Initialize and attach hovercards to all gravatars
		( function() {
			function init() {
				if ( typeof Gravatar === 'undefined' ) {
					return;
				}

				if ( typeof Gravatar.init !== 'function' ) {
					return;
				}

				Gravatar.profile_cb = function ( hash, id ) {
					WPGroHo.syncProfileData( hash, id );
				};

				Gravatar.my_hash = WPGroHo.my_hash;
				Gravatar.init( 'body', '#wp-admin-bar-my-account' );
			}

			if ( document.readyState !== 'loading' ) {
				init();
			} else {
				document.addEventListener( 'DOMContentLoaded', init );
			}
		} )();
	</script>

		<div style="display:none">
	</div>
		<!-- CCPA [start] -->
		<script type="text/javascript">
			( function () {

				var setupPrivacy = function() {

					// Minimal Mozilla Cookie library
					// https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie/Simple_document.cookie_framework
					var cookieLib = window.cookieLib = {getItem:function(e){return e&&decodeURIComponent(document.cookie.replace(new RegExp("(?:(?:^|.*;)\\s*"+encodeURIComponent(e).replace(/[\-\.\+\*]/g,"\\$&")+"\\s*\\=\\s*([^;]*).*$)|^.*$"),"$1"))||null},setItem:function(e,o,n,t,r,i){if(!e||/^(?:expires|max\-age|path|domain|secure)$/i.test(e))return!1;var c="";if(n)switch(n.constructor){case Number:c=n===1/0?"; expires=Fri, 31 Dec 9999 23:59:59 GMT":"; max-age="+n;break;case String:c="; expires="+n;break;case Date:c="; expires="+n.toUTCString()}return"rootDomain"!==r&&".rootDomain"!==r||(r=(".rootDomain"===r?".":"")+document.location.hostname.split(".").slice(-2).join(".")),document.cookie=encodeURIComponent(e)+"="+encodeURIComponent(o)+c+(r?"; domain="+r:"")+(t?"; path="+t:"")+(i?"; secure":""),!0}};

					// Implement IAB USP API.
					window.__uspapi = function( command, version, callback ) {

						// Validate callback.
						if ( typeof callback !== 'function' ) {
							return;
						}

						// Validate the given command.
						if ( command !== 'getUSPData' || version !== 1 ) {
							callback( null, false );
							return;
						}

						// Check for GPC. If set, override any stored cookie.
						if ( navigator.globalPrivacyControl ) {
							callback( { version: 1, uspString: '1YYN' }, true );
							return;
						}

						// Check for cookie.
						var consent = cookieLib.getItem( 'usprivacy' );

						// Invalid cookie.
						if ( null === consent ) {
							callback( null, false );
							return;
						}

						// Everything checks out. Fire the provided callback with the consent data.
						callback( { version: 1, uspString: consent }, true );
					};

					// Initialization.
					document.addEventListener( 'DOMContentLoaded', function() {

						// Internal functions.
						var setDefaultOptInCookie = function() {
							var value = '1YNN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 365 * 24 * 60 * 60, '/', domain );
						};

						var setDefaultOptOutCookie = function() {
							var value = '1YYN';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setDefaultNotApplicableCookie = function() {
							var value = '1---';
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'usprivacy', value, 24 * 60 * 60, '/', domain );
						};

						var setCcpaAppliesCookie = function( applies ) {
							var domain = '.wordpress.com' === location.hostname.slice( -14 ) ? '.rootDomain' : location.hostname;
							cookieLib.setItem( 'ccpa_applies', applies, 24 * 60 * 60, '/', domain );
						}

						var maybeCallDoNotSellCallback = function() {
							if ( 'function' === typeof window.doNotSellCallback ) {
								return window.doNotSellCallback();
							}

							return false;
						}

						// Look for usprivacy cookie first.
						var usprivacyCookie = cookieLib.getItem( 'usprivacy' );

						// Found a usprivacy cookie.
						if ( null !== usprivacyCookie ) {

							// If the cookie indicates that CCPA does not apply, then bail.
							if ( '1---' === usprivacyCookie ) {
								return;
							}

							// CCPA applies, so call our callback to add Do Not Sell link to the page.
							maybeCallDoNotSellCallback();

							// We're all done, no more processing needed.
							return;
						}

						// We don't have a usprivacy cookie, so check to see if we have a CCPA applies cookie.
						var ccpaCookie = cookieLib.getItem( 'ccpa_applies' );

						// No CCPA applies cookie found, so we'll need to geolocate if this visitor is from California.
						// This needs to happen client side because we do not have region geo data in our $SERVER headers,
						// only country data -- therefore we can't vary cache on the region.
						if ( null === ccpaCookie ) {

							var request = new XMLHttpRequest();
							request.open( 'GET', 'https://public-api.wordpress.com/geo/', true );

							request.onreadystatechange = function () {
								if ( 4 === this.readyState ) {
									if ( 200 === this.status ) {

										// Got a geo response. Parse out the region data.
										var data = JSON.parse( this.response );
										var ccpa_applies = data['region'] && data['region'].toLowerCase() === 'california';

										// Set CCPA applies cookie. This keeps us from having to make a geo request too frequently.
										setCcpaAppliesCookie( ccpa_applies );

										// Check if CCPA applies to set the proper usprivacy cookie.
										if ( ccpa_applies ) {
											if ( maybeCallDoNotSellCallback() ) {
												// Do Not Sell link added, so set default opt-in.
												setDefaultOptInCookie();
											} else {
												// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
												setDefaultOptOutCookie();
											}
										} else {
											// CCPA does not apply.
											setDefaultNotApplicableCookie();
										}
									} else {
										// Could not geo, so let's assume for now that CCPA applies to be safe.
										setCcpaAppliesCookie( true );
										if ( maybeCallDoNotSellCallback() ) {
											// Do Not Sell link added, so set default opt-in.
											setDefaultOptInCookie();
										} else {
											// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
											setDefaultOptOutCookie();
										}
									}
								}
							};

							// Send the geo request.
							request.send();
						} else {
							// We found a CCPA applies cookie.
							if ( ccpaCookie === 'true' ) {
								if ( maybeCallDoNotSellCallback() ) {
									// Do Not Sell link added, so set default opt-in.
									setDefaultOptInCookie();
								} else {
									// Failed showing Do Not Sell link as required, so default to opt-OUT just to be safe.
									setDefaultOptOutCookie();
								}
							} else {
								// CCPA does not apply.
								setDefaultNotApplicableCookie();
							}
						}
					} );
				};

				// Kickoff initialization.
				if ( window.defQueue && defQueue.isLOHP && defQueue.isLOHP === 2020 ) {
					defQueue.items.push( setupPrivacy );
				} else {
					setupPrivacy();
				}

			} )();
		</script>

		<!-- CCPA [end] -->
			<div id="actionbar" style="display: none;"
			class="actnbr-pub-hever actnbr-has-follow">
		<ul>
								<li class="actnbr-btn actnbr-hidden">
								<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
							<div class="actnbr-popover tip tip-top-left actnbr-notice" id="follow-bubble">
							<div class="tip-arrow"></div>
							<div class="tip-inner actnbr-follow-bubble">
															<ul>
											<li class="actnbr-sitename">
			<a href="https://imp0rtp3.wordpress.com">
				<img alt='' src='https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=50' class='avatar avatar-50' height='50' width='50' />				imp0rtp3			</a>
		</li>
										<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
																				<div>
										<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address" />
										</div>
										<input type="hidden" name="action" value="subscribe" />
										<input type="hidden" name="blog_id" value="196241778" />
										<input type="hidden" name="source" value="https://imp0rtp3.wordpress.com/2021/11/25/sowat/" />
										<input type="hidden" name="sub-type" value="actionbar-follow" />
										<input type="hidden" id="_wpnonce" name="_wpnonce" value="b591dbe622" />										<div class="actnbr-button-wrap">
											<button type="submit" value="Sign me up">
												Sign me up											</button>
										</div>
									</form>
									<li class="actnbr-login-nudge">
										<div>
											Already have a WordPress.com account? <a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F&#038;signup_flow=account">Log in now.</a>										</div>
									</li>
								</ul>
															</div>
						</div>
					</li>
							<li class="actnbr-ellipsis actnbr-hidden">
				<svg class="gridicon gridicons-ellipsis" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M7 12c0 1.104-.896 2-2 2s-2-.896-2-2 .896-2 2-2 2 .896 2 2zm12-2c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2zm-7 0c-1.104 0-2 .896-2 2s.896 2 2 2 2-.896 2-2-.896-2-2-2z"/></g></svg>				<div class="actnbr-popover tip tip-top-left actnbr-more">
					<div class="tip-arrow"></div>
					<div class="tip-inner">
						<ul>
									<li class="actnbr-sitename">
			<a href="https://imp0rtp3.wordpress.com">
				<img alt='' src='https://imp0rtp3.files.wordpress.com/2021/08/cropped-gd_obf.png?w=50' class='avatar avatar-50' height='50' width='50' />				imp0rtp3			</a>
		</li>
								<li class="actnbr-folded-customize">
								<a href="https://imp0rtp3.wordpress.com/wp-admin/customize.php?url=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F">
									<svg class="gridicon gridicons-customize" height="20" width="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M2 6c0-1.505.78-3.08 2-4 0 .845.69 2 2 2 1.657 0 3 1.343 3 3 0 .386-.08.752-.212 1.09.74.594 1.476 1.19 2.19 1.81L8.9 11.98c-.62-.716-1.214-1.454-1.807-2.192C6.753 9.92 6.387 10 6 10c-2.21 0-4-1.79-4-4zm12.152 6.848l1.34-1.34c.607.304 1.283.492 2.008.492 2.485 0 4.5-2.015 4.5-4.5 0-.725-.188-1.4-.493-2.007L18 9l-2-2 3.507-3.507C18.9 3.188 18.225 3 17.5 3 15.015 3 13 5.015 13 7.5c0 .725.188 1.4.493 2.007L3 20l2 2 6.848-6.848c1.885 1.928 3.874 3.753 5.977 5.45l1.425 1.148 1.5-1.5-1.15-1.425c-1.695-2.103-3.52-4.092-5.448-5.977z"/></g></svg>									<span>Customize</span>
								</a>
							</li>
																<li class="actnbr-folded-follow">
												<a class="actnbr-action actnbr-actn-follow " href="">
			<svg class="gridicon gridicons-reader-follow" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 16v2h-3v3h-2v-3h-3v-2h3v-3h2v3h3zM20 2v9h-4v3h-3v4H4c-1.1 0-2-.9-2-2V2h18zM8 13v-1H4v1h4zm3-3H4v1h7v-1zm0-2H4v1h7V8zm7-4H4v2h14V4z"/></g></svg><span>Follow</span>
		</a>
		<a class="actnbr-action actnbr-actn-following  no-display" href="">
			<svg class="gridicon gridicons-reader-following" height="24" width="24" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><g><path d="M23 13.482L15.508 21 12 17.4l1.412-1.388 2.106 2.188 6.094-6.094L23 13.482zm-7.455 1.862L20 10.89V2H2v14c0 1.1.9 2 2 2h4.538l4.913-4.832 2.095 2.176zM8 13H4v-1h4v1zm3-2H4v-1h7v1zm0-2H4V8h7v1zm7-3H4V4h14v2z"/></g></svg><span>Following</span>
		</a>
										</li>
																	<li class="actnbr-signup"><a href="https://wordpress.com/start/">Sign up</a></li>
									<li class="actnbr-login"><a href="https://wordpress.com/log-in?redirect_to=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F&#038;signup_flow=account">Log in</a></li>
																	<li class="actnbr-shortlink"><a href="https://wp.me/sdhprY-sowat">Copy shortlink</a></li>
																	<li class="flb-report"><a href="http://en.wordpress.com/abuse/">Report this content</a></li>
																	<li class="actnbr-reader">
										<a href="https://wordpress.com/read/blogs/196241778/posts/183">
											View post in Reader										</a>
									</li>
																	<li class="actnbr-subs">
										<a href="https://subscribe.wordpress.com/">Manage subscriptions</a>
									</li>
																		<li class="actnbr-fold"><a href="">Collapse this bar</a></li>
															</ul>
					</div>
				</div>
			</li>
		</ul>
	</div>
	
<script>
window.addEventListener( "load", function( event ) {
	var link = document.createElement( "link" );
	link.href = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.css?v=20210915";
	link.type = "text/css";
	link.rel = "stylesheet";
	document.head.appendChild( link );

	var script = document.createElement( "script" );
	script.src = "https://s0.wp.com/wp-content/mu-plugins/actionbar/actionbar.js?v=20211028";
	script.defer = true;
	document.body.appendChild( script );
} );
</script>

			<div id="jp-carousel-loading-overlay">
			<div id="jp-carousel-loading-wrapper">
				<span id="jp-carousel-library-loading">&nbsp;</span>
			</div>
		</div>
		<div class="jp-carousel-overlay" style="display: none;">

		<div class="jp-carousel-container">
			<!-- The Carousel Swiper -->
			<div
				class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions"
				itemscope
				itemtype="https://schema.org/ImageGallery">
				<div class="jp-carousel swiper-wrapper"></div>
				<div class="jp-swiper-button-prev swiper-button-prev">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12">
							<path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskPrev)">
							<rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
				<div class="jp-swiper-button-next swiper-button-next">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12">
							<path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskNext)">
							<rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
			</div>
			<!-- The main close buton -->
			<div class="jp-carousel-close-hint">
				<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
					<mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14">
						<path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/>
					</mask>
					<g mask="url(#maskClose)">
						<rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/>
					</g>
				</svg>
			</div>
			<!-- Image info, comments and meta -->
			<div class="jp-carousel-info">
				<div class="jp-carousel-info-footer">
					<div class="jp-carousel-pagination-container">
						<div class="jp-swiper-pagination swiper-pagination"></div>
						<div class="jp-carousel-pagination"></div>
					</div>
					<div class="jp-carousel-photo-title-container">
						<h2 class="jp-carousel-photo-caption"></h2>
					</div>
					<div class="jp-carousel-photo-icons-container">
						<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/>
									</mask>
									<g mask="url(#maskInfo)">
										<rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
							</span>
						</a>
												<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/>
									</mask>
									<g mask="url(#maskComments)">
										<rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>

								<span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span>
							</span>
						</a>
											</div>
				</div>
				<div class="jp-carousel-info-extra">
					<div class="jp-carousel-info-content-wrapper">
						<div class="jp-carousel-photo-title-container">
							<h2 class="jp-carousel-photo-title"></h2>
						</div>
						<div class="jp-carousel-comments-wrapper">
															<div id="jp-carousel-comments-loading">
									<span>Loading Comments...</span>
								</div>
								<div class="jp-carousel-comments"></div>
								<div id="jp-carousel-comment-form-container">
									<span id="jp-carousel-comment-form-spinner">&nbsp;</span>
									<div id="jp-carousel-comment-post-results"></div>
																														<form id="jp-carousel-comment-form">
												<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
												<textarea
													name="comment"
													class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea"
													id="jp-carousel-comment-form-comment-field"
													placeholder="Write a Comment..."
												></textarea>
												<div id="jp-carousel-comment-form-submit-and-info-wrapper">
													<div id="jp-carousel-comment-form-commenting-as">
																													<fieldset>
																<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
																<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
																<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-url-field">Website</label>
																<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" />
															</fieldset>
																											</div>
													<input
														type="submit"
														name="submit"
														class="jp-carousel-comment-form-button"
														id="jp-carousel-comment-form-button-submit"
														value="Post Comment" />
												</div>
											</form>
																											</div>
													</div>
						<div class="jp-carousel-image-meta">
							<div class="jp-carousel-title-and-caption">
								<div class="jp-carousel-photo-info">
									<h3 class="jp-carousel-caption" itemprop="caption description"></h3>
								</div>

								<div class="jp-carousel-photo-description"></div>
							</div>
							<ul class="jp-carousel-image-exif" style="display: none;"></ul>
							<a class="jp-carousel-image-download" target="_blank" style="display: none;">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/>
									</mask>
									<g mask="url(#mask0)">
										<rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
								<span class="jp-carousel-download-text"></span>
							</a>
							<div class="jp-carousel-image-map" style="display: none;"></div>
						</div>
					</div>
				</div>
			</div>
		</div>

		</div>
		
	<script type="text/javascript">
		window.WPCOM_sharing_counts = {"https:\/\/imp0rtp3.wordpress.com\/2021\/11\/25\/sowat\/":183};
	</script>
				<style>.wp-container-61c515db18f7d {display: flex;gap: 0.5em;flex-wrap: wrap;align-items: center;}.wp-container-61c515db18f7d > * { margin: 0; }</style><script crossorigin='anonymous' type='text/javascript' src='https://s1.wp.com/_static/??-eJzTLy/QTc7PK0nNK9EvyClNz8wr1i+uzCtJrMjITM/IAeKS1CJMEWP94uSizIISoOIM5/yiVL2sYh19yo1yKioFmldQADTOPtfW0MzQ1MTczNLYKAsAjy0/rA=='></script>
<script type='text/javascript'>
	(function(){
		var corecss = document.createElement('link');
		var themecss = document.createElement('link');
		var corecssurl = "https://s1.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.9b";
		if ( corecss.setAttribute ) {
				corecss.setAttribute( "rel", "stylesheet" );
				corecss.setAttribute( "type", "text/css" );
				corecss.setAttribute( "href", corecssurl );
		} else {
				corecss.rel = "stylesheet";
				corecss.href = corecssurl;
		}
		document.head.appendChild( corecss );
		var themecssurl = "https://s2.wp.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?m=1363304414h&amp;ver=3.0.9b";
		if ( themecss.setAttribute ) {
				themecss.setAttribute( "rel", "stylesheet" );
				themecss.setAttribute( "type", "text/css" );
				themecss.setAttribute( "href", themecssurl );
		} else {
				themecss.rel = "stylesheet";
				themecss.href = themecssurl;
		}
		document.head.appendChild( themecss );
	})();
	SyntaxHighlighter.config.strings.expandSource = '+ expand source';
	SyntaxHighlighter.config.strings.help = '?';
	SyntaxHighlighter.config.strings.alert = 'SyntaxHighlighter\n\n';
	SyntaxHighlighter.config.strings.noBrush = 'Can\'t find brush for: ';
	SyntaxHighlighter.config.strings.brushNotHtmlScript = 'Brush wasn\'t configured for html-script option: ';
	SyntaxHighlighter.defaults['pad-line-numbers'] = false;
	SyntaxHighlighter.defaults['toolbar'] = false;
	SyntaxHighlighter.all();

	// Infinite scroll support
	if ( typeof( jQuery ) !== 'undefined' ) {
		jQuery( function( $ ) {
			$( document.body ).on( 'post-load', function() {
				SyntaxHighlighter.highlight();
			} );
		} );
	}
</script>
<link rel='stylesheet' id='all-css-0-2' href='https://s0.wp.com/_static/??/wp-content/mu-plugins/carousel/swiper-bundle.css,/wp-content/mu-plugins/carousel/jetpack-carousel.css?m=1630955947j&cssminify=yes' type='text/css' media='all' />
<script id='comment-like-js-extra'>
var comment_like_text = {"loading":"Loading...","swipeUrl":"https:\/\/s2.wp.com\/wp-content\/mu-plugins\/comment-likes\/js\/lib\/swipe.js?ver=20131008"};
</script>
<script id='coblocks-lightbox-js-extra'>
var coblocksLigthboxData = {"closeLabel":"Close Gallery","leftLabel":"Previous","rightLabel":"Next"};
</script>
<script id='jetpack-carousel-js-extra'>
var jetpackSwiperLibraryPath = {"url":"\/wp-content\/mu-plugins\/carousel\/swiper-bundle.js"};
var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/imp0rtp3.wordpress.com\/wp-admin\/admin-ajax.php","nonce":"3476208070","display_exif":"1","display_comments":"1","display_geo":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"1","login_url":"https:\/\/imp0rtp3.wordpress.com\/wp-login.php?redirect_to=https%3A%2F%2Fimp0rtp3.wordpress.com%2F2021%2F11%2F25%2Fsowat%2F","blog_id":"196241778","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"],"stats_query_args":"blog=196241778&v=wpcom&tz=1&user_id=0&subd=imp0rtp3","is_public":"1"};
</script>
<script id='sharing-js-js-extra'>
var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"};
</script>
<script crossorigin='anonymous' type='text/javascript' src='https://s0.wp.com/_static/??-eJyNkFtOxDAMRTdEanVGmscHYi1OYlp38iJOWtg9GZUBVKSKr8TXOTfXhiUpE0OhUGASsDSzofTeTfIEv1q+quTqwEHA8Y0E3ipVGjFYR3nnsYneN0mt0LQRtuAPpV00N4FD11+6Xgn75AgsS1k91nYzGcai45+0ZSTfvktVw4yZ8Q6lzB7zhwo484CFY9hSzXT4Dr7EbNGKMg5FvqL71Ol6n3hnYLSeg9KYwaMUyu2mSsaW9gFxMK7a1bKV5DXZrkF7W8Qcq5CDiUpqXuoh/INRS2o735Q7XIpS1KtDziBjW14YHmeDXvxzfzpez8fz4XKdPgEum9V6'></script>
<script type='text/javascript'>
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-twitter' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' );
						return false;
					}
				} );
			} )();
var windowOpen;
			( function () {
				function matches( el, sel ) {
					return !! (
						el.matches && el.matches( sel ) ||
						el.msMatchesSelector && el.msMatchesSelector( sel )
					);
				}

				document.body.addEventListener( 'click', function ( event ) {
					if ( ! event.target ) {
						return;
					}

					var el;
					if ( matches( event.target, 'a.share-facebook' ) ) {
						el = event.target;
					} else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) {
						el = event.target.parentNode;
					}

					if ( el ) {
						event.preventDefault();

						// If there's another sharing window open, close it.
						if ( typeof windowOpen !== 'undefined' ) {
							windowOpen.close();
						}
						windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' );
						return false;
					}
				} );
			} )();
</script>
	<script>
	/(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1);
	</script>
	<script type="text/javascript">
// <![CDATA[
(function() {
try{
  if ( window.external &&'msIsSiteMode' in window.external) {
    if (window.external.msIsSiteMode()) {
      var jl = document.createElement('script');
      jl.type='text/javascript';
      jl.async=true;
      jl.src='/wp-content/plugins/ie-sitemode/custom-jumplist.php';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(jl, s);
    }
  }
}catch(e){}
})();
// ]]>
</script><script src="//stats.wp.com/w.js?63" defer></script> <script type="text/javascript">
_tkq = window._tkq || [];
_stq = window._stq || [];
_tkq.push(['storeContext', {'blog_id':'196241778','blog_tz':'1','user_lang':'en','blog_lang':'en','user_id':'0'}]);
_stq.push(['view', {'blog':'196241778','v':'wpcom','tz':'1','user_id':'0','post':'183','subd':'imp0rtp3'}]);
_stq.push(['extra', {'crypt':'UE5XaGUuOTlwaD85flAmcm1mcmZsaDhkV11YdWFnNncxc1tjZG9XVXhRaGp+TjRjdF9qRytaRXkweWJCNk1YNGZhaFtnaFJ2VmptNGVdVHZQNFR0K3dodU0lJWRpUnZNUlcmaXl3PVNUNF1OSFpLLHBJY2tvUXlMcSUwRGsydXRqT1F6c1tqTmprSTdtWU9YSWNtekwuWyxSJW5lP3k1RCsxaUcrRUJ5ZyZGJWwvNi5EV1E0MWM5Nk1jb1daNkZKdDZFY1Z0NWlYJnAlYWpNVUk0bnJEcW9qbGJ0eHVtb2lGW2FbTDJQMDY='}]);
_stq.push([ 'clickTrackerInit', '196241778', '183' ]);
	</script>
<noscript><img src="https://pixel.wp.com/b.gif?v=noscript" style="height:1px;width:1px;overflow:hidden;position:absolute;bottom:1px;" alt="" /></noscript>
<script defer id="bilmur" data-customproperties="{&quot;logged_in&quot;:&quot;0&quot;}" data-provider="wordpress.com" data-service="simple" src="/wp-content/js/bilmur.min.js?i=3&m=202151"></script><script>
if ( 'object' === typeof wpcom_mobile_user_agent_info ) {

	wpcom_mobile_user_agent_info.init();
	var mobileStatsQueryString = "";
	
	if( false !== wpcom_mobile_user_agent_info.matchedPlatformName )
		mobileStatsQueryString += "&x_" + 'mobile_platforms' + '=' + wpcom_mobile_user_agent_info.matchedPlatformName;
	
	if( false !== wpcom_mobile_user_agent_info.matchedUserAgentName )
		mobileStatsQueryString += "&x_" + 'mobile_devices' + '=' + wpcom_mobile_user_agent_info.matchedUserAgentName;
	
	if( wpcom_mobile_user_agent_info.isIPad() )
		mobileStatsQueryString += "&x_" + 'ipad_views' + '=' + 'views';

	if( "" != mobileStatsQueryString ) {
		new Image().src = document.location.protocol + '//pixel.wp.com/g.gif?v=wpcom-no-pv' + mobileStatsQueryString + '&baba=' + Math.random();
	}
	
}
</script>
</body>
</html>
